CVE-2025-12624

Name of the Vulnerable Software and Affected Versions WSO2 Identity Server (affected versions not specified)

Description Active access tokens are not revoked or invalidated when a user account is locked. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.