CVE-2025-10908

WSO2 · Identity Server / Carbon MagicLink Authenticator Module

A flaw in WSO2 authentication modules allows locked accounts to be accessed via Magic Link or Pass Key, bypassing standard account state validation.

Executive summary

A critical authentication bypass in WSO2 Identity Server and MagicLink Authenticator allows access to locked accounts, requiring an immediate update to patched versions.

Vulnerability

This is an authentication bypass vulnerability (CWE-863) where the system fails to validate account state (e.g., locked status) when using Magic Link or Pass Key methods. This is an unauthenticated vulnerability (PR:N) that does not require user interaction.

Business impact

This vulnerability enables attackers to gain access to accounts that have been explicitly locked by administrators for security reasons. This bypass undermines organizational access control policies, potentially allowing attackers to maintain persistence or access sensitive data. The CVSS score of 7.3 highlights the high risk posed by failing to enforce account state during the authentication flow.

Remediation

Immediate Action: Update the WSO2 Carbon MagicLink Authenticator Module to version 1.1.43 or later as specified in the official WSO2 security advisory: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4388/.

Proactive Monitoring: Review authentication logs for successful logins occurring on accounts marked as "locked" or "disabled" within the WSO2 platform.

Compensating Controls: Temporarily disable the MagicLink and Pass Key authentication methods if an immediate update cannot be performed.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability represents a direct bypass of account security controls. Organizations using the affected WSO2 components must prioritize the application of the vendor-provided patches immediately to ensure that locked accounts remain secure and inaccessible to unauthorized parties.