Volerion logoVolerion
Volerion logoVolerion

WSO2 Products FIDO Authentication Bypass Vulnerability Allowing User Impersonation

Vulnerability

A vulnerability allowing authentication bypass has been identified in multiple WSO2 products that use FIDO authentication. When a user account is deleted, the associated FIDO registration data is not removed. If a new account is created with the same username, it may be linked to the FIDO device of the deleted account. This could enable the former user to authenticate and impersonate the new account, gaining unauthorized access. The vulnerability affects WSO2 Identity Server versions 5.11.0 and 5.10.0, WSO2 Identity Server as Key Manager 5.10.0, and WSO2 Open Banking IAM 2.0.0.

Impact

Exploitation of this vulnerability could lead to unauthorized access by allowing a former user to impersonate a new account created with the same username.

Remediation

WSO2 recommends updating to the latest version of the affected products. Support subscription holders can use WSO2 Updates to apply the fix.

Added: Sep 23, 2025, 6:28 PM
Updated: Sep 23, 2025, 6:28 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
5.0
exploitability
5.4
remediation
7.7
relevance
0.6
threat
0.0
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.