← Retour aux CVEs
CVE-2025-12624
MEDIUM6.0
Description
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.
Details CVE
Score CVSS v3.16.0
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Vecteur d'attaqueNETWORK
ComplexiteHIGH
Privileges requisLOW
Interaction utilisateurNONE
Publie4/16/2026
Derniere modification4/17/2026
Sourcenvd
Observations honeypot0
Faiblesses (CWE)
CWE-613
References
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4684/(ed10eef1-636d-4fbe-9993-6890dfa878f8)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.