QSearchQSearch

CVE-2025-10470

8.6 HIGH

The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, l...

Published: 2026-05-11 · Last updated: 2026-05-27

Severity and scoring

CVSS
8.6 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE
CWE-400

Affected products

VendorProduct
wso2identity_server

Description

The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2025-9973 Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive aut... (6.4 MEDIUM)
  • CVE-2025-8325 The software fails to enforce role-based access controls for certain Gateway API invocations (6.3 MEDIUM)
  • CVE-2025-8154 In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitizat... (5.3 MEDIUM)
  • CVE-2025-10908 Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic ... (7.3 HIGH)
  • CVE-2024-0391 The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the exis... (5.3 MEDIUM)

Same CWE

  • CVE-2026-47734 Dulwich is a pure-Python implementation of the Git file formats and protocols (5.7 MEDIUM)
  • CVE-2026-46689 Kanidm is an identity management platform
  • CVE-2026-46679 libp2p is a JavaScript Implementation of libp2p networking stack (7.5 HIGH)
  • CVE-2026-46522 ImageMagick is free and open-source software used for editing and manipulating digital images (7.5 HIGH)
  • CVE-2026-45783 libp2p is a JavaScript Implementation of libp2p networking stack (7.5 HIGH)