Description
The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth.

This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger.
Published: 2026-05-11
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Magic Link authentication flow accepts multiple invalid authentication requests without any form of rate limiting or resource control, which causes memory usage to grow unbounded. This resource exhaustion can lead to a denial‑of‑service condition, rendering the affected instance unavailable. The weakness is a classic instance of CWE‑400, where improper handling of input leads to resource exhaustion.

Affected Systems

The flaw affects the WSO2 Carbon MagicLink Authenticator Module and the WSO2 Identity Server, specifically deployments that enable Magic Link authentication. No specific version information is provided, so any installation that incorporates the Magic Link authenticator is potentially vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.6, indicating a high‑severity impact, and an EPSS score of less than 1%, suggesting that exploitation is uncommon but still possible. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that an external entity sending repeated invalid authentication attempts to the Magic Link endpoint could enumerate memory usage growth and cause service unavailability. The attack does not require privileged access and does not directly lead to lateral movement or data exfiltration beyond the denial‑of‑service effect.

Generated by OpenCVE AI on May 11, 2026 at 17:38 UTC.

Remediation

Vendor Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4469/#solution

OpenCVE Recommended Actions

  • Install the vendor‑supplied fix as detailed in the WSO2 security advisory at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4469/#solution
  • If a patch is not yet available, temporarily disable or remove the Magic Link authenticator from the deployment to eliminate the attack surface
  • Configure rate‑limiting or other resource controls on authentication endpoints to prevent excessive memory usage from repeated failed requests

Generated by OpenCVE AI on May 11, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wso2 identity Server
Vendors & Products Wso2 identity Server

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger.
Title Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability
First Time appeared Wso2
Wso2 wso2 Carbon Magiclink Authenticator Module
Wso2 wso2 Identity Server
Weaknesses CWE-400
CPEs cpe:2.3:a:wso2:wso2_carbon_magiclink_authenticator_module:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*
Vendors & Products Wso2
Wso2 wso2 Carbon Magiclink Authenticator Module
Wso2 wso2 Identity Server
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Wso2 Identity Server Wso2 Carbon Magiclink Authenticator Module Wso2 Identity Server
cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2026-05-11T12:38:39.383Z

Reserved: 2025-09-15T08:51:01.163Z

Link: CVE-2025-10470

cve-icon Vulnrichment

Updated: 2026-05-11T12:38:36.189Z

cve-icon NVD

Status : Received

Published: 2026-05-11T12:16:10.530

Modified: 2026-05-11T12:16:10.530

Link: CVE-2025-10470

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:15Z

Weaknesses