WSO2 Identity Server Account Lock Bypass Vulnerability via Magic Link or Pass Key Authentication

A vulnerability exists in WSO2 Identity Server versions 6.0.0, 6.1.0, 7.0.0, and 7.1.0, allowing locked user accounts to be authenticated through Magic Link or Pass Key methods. This issue arises from inadequate validation of user account states during authentication, enabling access to accounts that should be restricted. As a result, unauthorized access to applications and sensitive data linked to these accounts may occur, undermining the effectiveness of the account lock mechanism designed to prevent further login attempts.

Impact

Exploitation of this vulnerability could lead to unauthorized access to applications and sensitive data associated with locked user accounts, bypassing the intended security controls that restrict access to these accounts.

Remediation

Users of WSO2 Identity Server can update to version 7.1.0 (update level 31), 7.0.0 (update level 124), 6.1.0 (update level 248), or 6.0.0 (update level 249). Community users can apply the relevant fixes available on GitHub.