Primary

Context

WSO2 Identity Server Access Token Revocation Vulnerability in Locked Accounts

Vulnerability

Patched

A vulnerability exists in WSO2 Identity Server version 5.2.0, where active access tokens are not revoked when a user account is locked. This oversight allows locked accounts to continue accessing protected resources using unexpired tokens, bypassing access control measures and potentially leading to unauthorized data access or actions.

Impact

Locked user accounts can maintain access to protected resources through existing, valid access tokens, creating a security gap that bypasses access control policies.

Remediation

Community users should migrate to the latest unaffected version of WSO2 Identity Server. Support subscription holders can update to version 5.2.0, update level 35, to address this vulnerability.

Added: Apr 16, 2026, 11:25 AM

Updated: Apr 16, 2026, 11:25 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

5.4

remediation

7.7

relevance

6.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

5.4

remediation

7.7

relevance

6.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WSO2 Identity Server Access Token Revocation Vulnerability in Locked Accounts

Vulnerability

Impact

Remediation

Affected Products

WSO2 Identity Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating