Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows...

8.6 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Description

The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth.

This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger.

Basic Information

ID CVE-2025-10470

Source WSO2

Published May 11, 2026 at 10:16

Affected Product

Vendor WSO2

Product WSO2 Identity Server

Version 7.0.0

Affected Versions WSO2 WSO2 Identity Server 7.0.0
WSO2 WSO2 Carbon MagicLink Authenticator Module 1.1.22

CWE Classification

CWE-400

References

security.docs.wso2.com /en/latest/security-announcements/security-advisories/2026/WSO2-2025-4469/

{
    "lastseen": "",
    "description": "The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth.\n\nThis vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger.",
    "published": "2026-05-11T10:16:52.358Z",
    "modified": "2026-05-11T10:16:52.358Z",
    "type": "cve",
    "title": "Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability",
    "source": "WSO2",
    "references": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4469/",
    "id": "CVE-2025-10470",
    "bulletinFamily": "",
    "cwe": [
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "WSO2 WSO2 Identity Server 7.0.0\nWSO2 WSO2 Carbon MagicLink Authenticator Module 1.1.22",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WSO2 Identity Server",
    "version": "7.0.0",
    "vendor": "WSO2",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability_CVE-2025-10470