Denial-of-Service Vulnerability in WSO2 Magic Link Authentication
CVE-2025-10470

8.6HIGH

Key Information:

Vendor: Wso2
Status: Wso2 Identity Server; Wso2 Carbon Magiclink Authenticator Module
Vendor: CVE Published:; 11 May 2026

What is CVE-2025-10470?

The WSO2 Magic Link authentication flow is susceptible to a denial-of-service vulnerability due to inadequate rate limiting and resource management. This flaw allows multiple invalid authentication requests, causing uncontrolled memory growth and potentially leading to service unavailability. Deployments using the Magic Link authenticator are particularly at risk, as they can be affected by repeated invalid attempts, resulting in degraded performance or downtime.

Affected Version(s)

WSO2 Carbon MagicLink Authenticator Module 1.1.22 < 1.1.22.3

WSO2 Identity Server 7.0.0 < 7.0.0.121

WSO2 Carbon MagicLink Authenticator Module 1.1.31

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Sep 15, 2025

CVE-2025-10470 Data

JSON

Wso2

What is CVE-2025-10470?

Affected Version(s)

References

CVSS V3.1

Timeline