Primary

Context

WSO2 Identity Server Magic Link Authentication Denial-of-Service Vulnerability

Vulnerability

Patched

A denial-of-service vulnerability has been identified in WSO2 Identity Server version 7.0.0, specifically within the Magic Link authentication flow. This issue arises because the authentication process allows multiple invalid requests without proper rate limiting or resource management. As a result, memory usage can grow uncontrollably, leading to service unavailability. The vulnerability requires repeated invalid authentication attempts to be exploited.

Impact

Exploitation of this vulnerability can cause the authentication mechanism to become completely unavailable, disrupting access for legitimate users.

Remediation

Users can apply the public fix available on the WSO2 GitHub repository for the Magic Link authentication extension. For WSO2 Identity Server support subscription holders, the recommended update is to version 7.0.0, update level 121.

Added: May 11, 2026, 12:19 PM

Updated: May 11, 2026, 12:19 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

6.8

remediation

7.7

relevance

7.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

6.8

remediation

7.7

relevance

7.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WSO2 Identity Server Magic Link Authentication Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

WSO2 Identity Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating