

Security Advisory WSO2-2025-4493/CVE-2025-11850¶

Published: June 18, 2026

Updated: June 18, 2026

Version: 1.0

Severity: Medium

CVSS Score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVE IDs: CVE-2025-11850

AFFECTED PRODUCTS¶

• WSO2 Identity Server: 7.1.0, 7.0.0

OVERVIEW¶

Potential improper implicit association.

DESCRIPTION¶

When secondary user stores are present, the implicit-association resolver initializes from a secondary user store and skips the primary user store during search and uniqueness checks. As a result, a subject could be linked to an unintended local account if the same lookup claim (e.g., username or email) exists in both the primary and a secondary store.

IMPACT¶

If duplicate claims values (e.g., username or email) exist across the primary and secondary user stores, this issue may result in identity confusion due to incorrect implicit associations when an external Identity Provider (IDP) is used. Consequently, legitimate user accounts in the primary user store may fail to associate correctly with corresponding external IDP accounts. This could restrict the external IDP user's access if the corresponding account in the secondary user store possesses fewer privileges than the primary account. Deployments are not affected if no secondary user stores are configured, implicit association is disabled, or the claim values are globally unique.

SOLUTION¶

Community Users (Open Source)¶

Apply the relevant fixes to your product using the public fix(es) provided below.

https://github.com/wso2/carbon-identity-framework/pull/7242

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).

Support Subscription Holders¶

Update your product to the specified update level or a higher update level to apply the fix.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product Name	Product Version	Update Level
WSO2 Identity Server	7.1.0	40
WSO2 Identity Server	7.0.0	132

Once you apply the fix using any of the methods mentioned above, it recommends applying the following configuration to the /repository/conf/deployment.toml file.

[token_exchange.implicit_association]
include_primary_when_secondary_present = true