A flaw in WSO2 Identity Server’s authentication process results in the system overlooking the locked state of user accounts when Magic Link or Pass Key methods are used. This omission permits attackers who know a locked account identifier to authenticate as that account, thereby gaining unauthorized access to the associated applications and sensitive data that should have been prevented by the lock mechanism. Based on the description, it is inferred that an attacker would need to know the locked account’s username to perform the exploit. The vulnerability directly undermines the effectiveness of the account lock control and is classified as CWE‑863, reflecting improper verification of a host function’s output.

The affected products are WSO2 Carbon MagicLink Authenticator Module and WSO2 Identity Server. Version information is not disclosed in the advisory, so all released builds of these components are potentially vulnerable until the recommended update is applied.

The CVSS score of 7.3 indicates a high severity vulnerability. The EPSS score is below 1%, suggesting a low probability of current exploitation. The vulnerability can be triggered remotely over the network using the legitimate Magic Link or Pass Key authentication flows, as inferred from the description that such methods are used for authentication. Although the issue is not listed in the CISA KEV catalog, the possibility of gaining unauthorized access to sensitive user data and applications makes the risk significant. The official WSO2 solution addresses the flaw by enforcing proper account state validation during authentication.