CWE-645
Overly Restrictive Account Lockout Mechanism
Extended description
Account lockout is a security feature often present in applications as a countermeasure to the brute force attack on the password based authentication mechanism of the system. After a certain number of failed login attempts, the users' account may be disabled for a certain period of time or until it is unlocked by an administrator. Other security events may also possibly trigger account lockout. However, an attacker may use this very security feature to deny service to legitimate system users. It is therefore important to ensure that the account lockout security mechanism is not overly restrictive.
Common consequences1
- AvailabilityDoS: Resource Consumption (Other)
Users could be locked out of accounts.
Potential mitigations3
- Architecture and Design
Implement more intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.
- Architecture and Design
Implement a lockout timeout that grows as the number of incorrect login attempts goes up, eventually resulting in a complete lockout.
- Architecture and Design
Consider alternatives to account lockout that would still be effective against password brute force attacks, such as presenting the user machine with a puzzle to solve (makes it do some computation).
Relationships1
- ChildOfCWE-287
CVEs referencing this CWE7
| CVE | Description | Severity | EPSS | Flags | Modified |
|---|---|---|---|---|---|
| CVE-2024-1722 | A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in. | MEDIUM5.3 | 0.77%p51 | 2025-11-21 | |
| CVE-2023-4346 | KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to being locked and users being unable to reset them to gain access to the device. The BCU key feature on the devices can be used to create a password for the device, but this password can often not be reset without entering the current password. If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device. Even if a device is not connected to a network, an attacker with physical access to the device could also exploit this vulnerability in the same way. | HIGH7.5 | 0.48%p38 | 2024-11-21 | |
| CVE-2024-37028 | BIG-IP Next Central Manager may allow an attacker to lock out an account that has never been logged in. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | MEDIUM5.3 | 0.45%p36 | 2024-08-20 | |
| CVE-2025-5241 | Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series allows a remote unauthenticated attacker to lockout legitimate users for a certain period by repeatedly attempting to login with incorrect passwords. The legitimate users will be unable to login until a certain period has passed after the lockout or until the product is reset. | MEDIUM5.3 | 0.37%p29 | 2026-04-15 | |
| CVE-2026-53982 | Cap-go Console < 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the deletion state with the device identifier, causing the affected device or browser environment to be redirected to an account-disabled page for approximately 30 days, preventing any account login or registration from that device. | MEDIUM6.5 | 0.33%p25 | 2026-06-15 | |
| CVE-2025-31947 | Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures through Mattermost. | MEDIUM5.3 | 0.29%p20 | 2025-10-06 | |
| CVE-2026-25907 | Dell PowerScale OneFS, version 9.13.0.0, contains an overly restrictive account lockout mechanism vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service. | HIGH7.5 | 0.26%p17 | 2026-03-04 |