CVE-2025-10470
Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability
CVSS Score
8.6
EPSS Score
0.0%
EPSS Percentile
0th
The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger.
| CWE | CWE-400 |
| Vendor | wso2 |
| Product | wso2 identity server |
| Published | May 11, 2026 |
| Last Updated | May 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for wso2 wso2 identity server
Be the first to know when new high vulnerabilities affecting wso2 wso2 identity server are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
WSO2 / WSO2 Identity Server
7.0.0 < 7.0.0.121
WSO2 / WSO2 Carbon MagicLink Authenticator Module
1.1.22 < 1.1.22.3