Platform
java
Component
wso2-identity-server
Fixed in
5.2.0.35
5.2.0.35
CVE-2025-12624 affects WSO2 Identity Server versions from 0.0.0 through 5.2.0.35. This vulnerability allows previously issued access tokens to remain valid even after a user account is locked, effectively bypassing access control policies. The issue arises from the failure to revoke or invalidate these tokens during the account locking process. A fix is available in version 5.2.0.35.
The primary impact of CVE-2025-12624 is the potential for unauthorized access to protected resources. A locked user account, possessing a valid, unexpired access token, can continue to access systems and data they should no longer have access to. This bypasses the intended security measure of account locking, creating a significant security gap. Attackers could exploit this to maintain persistent access even after an account is compromised or deemed a security risk. The blast radius extends to any resource protected by WSO2 Identity Server's authentication mechanisms, potentially exposing sensitive data and enabling malicious actions.
CVE-2025-12624 was published on 2026-04-16. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept code is not currently available. The vulnerability's impact is dependent on the presence of valid access tokens issued before the account was locked, making exploitation less likely in environments with short token lifetimes.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-12624 is to upgrade WSO2 Identity Server to version 5.2.0.35 or later, which includes the fix. If immediate upgrade is not feasible, consider implementing a workaround by proactively invalidating all access tokens associated with a user account upon locking. This can be achieved through custom scripting or integration with the Identity Server's API. Monitor access token usage patterns for anomalies. After upgrading, verify the fix by locking a user account and confirming that all associated access tokens are immediately invalidated.
Update WSO2 Identity Server to version 5.2.0.35 or higher to mitigate the vulnerability. This update corrects the improper token invalidation issue, ensuring that locked accounts cannot access protected resources through expired tokens.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12624 is a medium severity vulnerability affecting WSO2 Identity Server versions 0.0.0–5.2.0.35 where locked user accounts can maintain access via valid tokens.
You are affected if you are using WSO2 Identity Server versions 0.0.0 through 5.2.0.35 and have not upgraded to 5.2.0.35.
Upgrade WSO2 Identity Server to version 5.2.0.35 or later. As a temporary workaround, invalidate access tokens upon account lock.
There is currently no evidence of active exploitation of CVE-2025-12624.
Refer to the official WSO2 security advisory for CVE-2025-12624 on the WSO2 website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.