cvedb.io
CVE-2025-0672
LOW · CVSS 3.3
EPSS exploitation probability: 0%
Published 2025-09-23T18:15:30.863 · Last modified 2026-06-17T08:26:56.507

Summary

An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device. This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication.

Affected products

wso2 — identity_server

Does this affect you?

Add your gear to cvedb and we'll alert you only when wso2 ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.