Search
Find a vulnerability
Search criteria
8 vulnerabilities found for logto by logto-io
CVE-2026-55789 (GCVE-0-2026-55789)
Vulnerability from nvd – Published: 2026-07-10 19:55 – Updated: 2026-07-10 19:55
VLAI
EPSS
VEX
Title
Logto: SAML IdP injects user-controlled profile attributes raw into signed assertions, allowing privilege escalation at relying Service Providers
Summary
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's self-hosted SAML application IdP built the signed SAML response and assertion by string-substituting user-controlled profile attributes such as name, email, and custom attribute-mapping values into element-text placeholders of a SAML XML template using samlify 2.10.0, which left those placeholders unescaped. An authenticated low-privilege user could place XML markup in a profile attribute so Logto signed a forged SAML attribute, such as an arbitrary role, allowing privilege escalation at relying Service Providers that authorize on SAML attributes. This issue is fixed in version 1.41.0.
Severity
8.5 (High)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/logto-io/logto/security/adviso… | x_refsource_CONFIRM |
| https://github.com/logto-io/logto/pull/9107 | x_refsource_MISC |
| https://github.com/logto-io/logto/commit/90970548… | x_refsource_MISC |
| https://github.com/logto-io/logto/releases/tag/v1.41.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "logto",
"vendor": "logto-io",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto\u0027s self-hosted SAML application IdP built the signed SAML response and assertion by string-substituting user-controlled profile attributes such as name, email, and custom attribute-mapping values into element-text placeholders of a SAML XML template using samlify 2.10.0, which left those placeholders unescaped. An authenticated low-privilege user could place XML markup in a profile attribute so Logto signed a forged SAML attribute, such as an arbitrary role, allowing privilege escalation at relying Service Providers that authorize on SAML attributes. This issue is fixed in version 1.41.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:55:37.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/logto-io/logto/security/advisories/GHSA-vfpw-vq44-4p63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/logto-io/logto/security/advisories/GHSA-vfpw-vq44-4p63"
},
{
"name": "https://github.com/logto-io/logto/pull/9107",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/pull/9107"
},
{
"name": "https://github.com/logto-io/logto/commit/9097054860f0d638d90778d3dcde2ba050b844b6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/commit/9097054860f0d638d90778d3dcde2ba050b844b6"
},
{
"name": "https://github.com/logto-io/logto/releases/tag/v1.41.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/releases/tag/v1.41.0"
}
],
"source": {
"advisory": "GHSA-vfpw-vq44-4p63",
"discovery": "UNKNOWN"
},
"title": "Logto: SAML IdP injects user-controlled profile attributes raw into signed assertions, allowing privilege escalation at relying Service Providers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55789",
"datePublished": "2026-07-10T19:55:37.360Z",
"dateReserved": "2026-06-17T14:40:28.380Z",
"dateUpdated": "2026-07-10T19:55:37.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55377 (GCVE-0-2026-55377)
Vulnerability from nvd – Published: 2026-07-10 19:57 – Updated: 2026-07-10 19:57
VLAI
EPSS
VEX
Title
Logto: Account Center MFA management step-up bypass via WebAuthn registration verification
Summary
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new passkey could be created and verified with only an existing Account API bearer token, then sent in the logto-verification-id header and treated as identityVerified=true by Account Center routes, allowing MFA factor management without proving possession of an existing password, identifier, or MFA factor. This issue is fixed in version 1.41.0.
Severity
8.1 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/logto-io/logto/security/adviso… | x_refsource_CONFIRM |
| https://github.com/logto-io/logto/pull/9110 | x_refsource_MISC |
| https://github.com/logto-io/logto/commit/f56255a7… | x_refsource_MISC |
| https://github.com/logto-io/logto/releases/tag/v1.41.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "logto",
"vendor": "logto-io",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto\u0027s Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new passkey could be created and verified with only an existing Account API bearer token, then sent in the logto-verification-id header and treated as identityVerified=true by Account Center routes, allowing MFA factor management without proving possession of an existing password, identifier, or MFA factor. This issue is fixed in version 1.41.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:57:58.088Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/logto-io/logto/security/advisories/GHSA-q4h3-38gc-4p4j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/logto-io/logto/security/advisories/GHSA-q4h3-38gc-4p4j"
},
{
"name": "https://github.com/logto-io/logto/pull/9110",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/pull/9110"
},
{
"name": "https://github.com/logto-io/logto/commit/f56255a7edf3b22b0ec2fdb814814ce6b0123b74",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/commit/f56255a7edf3b22b0ec2fdb814814ce6b0123b74"
},
{
"name": "https://github.com/logto-io/logto/releases/tag/v1.41.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/releases/tag/v1.41.0"
}
],
"source": {
"advisory": "GHSA-q4h3-38gc-4p4j",
"discovery": "UNKNOWN"
},
"title": "Logto: Account Center MFA management step-up bypass via WebAuthn registration verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55377",
"datePublished": "2026-07-10T19:57:58.088Z",
"dateReserved": "2026-06-16T18:57:40.181Z",
"dateUpdated": "2026-07-10T19:57:58.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55370 (GCVE-0-2026-55370)
Vulnerability from nvd – Published: 2026-07-10 19:56 – Updated: 2026-07-10 20:14
VLAI
EPSS
VEX
Title
Logto: TOTP code can be replayed within the RFC 6238 validity window (one-time use violation)
Summary
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window = 1 and did not persist or compare the accepted TOTP time-step counter. An attacker who has the victim's first factor and captures a live TOTP value can replay that value to satisfy MFA during the same acceptance window. This issue is fixed in version 1.41.0.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/logto-io/logto/security/adviso… | x_refsource_CONFIRM |
| https://github.com/logto-io/logto/pull/9109 | x_refsource_MISC |
| https://github.com/logto-io/logto/commit/9118867f… | x_refsource_MISC |
| https://github.com/logto-io/logto/releases/tag/v1.41.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T20:14:33.407390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:14:41.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "logto",
"vendor": "logto-io",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto\u0027s existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib\u0027s stateless check with window = 1 and did not persist or compare the accepted TOTP time-step counter. An attacker who has the victim\u0027s first factor and captures a live TOTP value can replay that value to satisfy MFA during the same acceptance window. This issue is fixed in version 1.41.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:56:53.317Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/logto-io/logto/security/advisories/GHSA-6wj7-c66m-6c82",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/logto-io/logto/security/advisories/GHSA-6wj7-c66m-6c82"
},
{
"name": "https://github.com/logto-io/logto/pull/9109",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/pull/9109"
},
{
"name": "https://github.com/logto-io/logto/commit/9118867f6cbadc7291cf913beb4fede91ed5d374",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/commit/9118867f6cbadc7291cf913beb4fede91ed5d374"
},
{
"name": "https://github.com/logto-io/logto/releases/tag/v1.41.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/releases/tag/v1.41.0"
}
],
"source": {
"advisory": "GHSA-6wj7-c66m-6c82",
"discovery": "UNKNOWN"
},
"title": "Logto: TOTP code can be replayed within the RFC 6238 validity window (one-time use violation)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55370",
"datePublished": "2026-07-10T19:56:53.317Z",
"dateReserved": "2026-06-16T18:57:40.181Z",
"dateUpdated": "2026-07-10T20:14:41.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54714 (GCVE-0-2026-54714)
Vulnerability from nvd – Published: 2026-07-10 19:54 – Updated: 2026-07-10 19:54
VLAI
EPSS
VEX
Title
Logto: XSS via unescaped RelayState in SAML auto-submit form
Summary
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute escaping. A SAML application flow with a crafted RelayState from GET or POST /api/saml/:id/authn could inject script that runs on the Logto tenant origin after the user completes login. This issue is fixed in version 1.41.0.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/logto-io/logto/security/adviso… | x_refsource_CONFIRM |
| https://github.com/logto-io/logto/pull/9008 | x_refsource_MISC |
| https://github.com/logto-io/logto/commit/209fa0a5… | x_refsource_MISC |
| https://github.com/logto-io/logto/releases/tag/v1.41.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "logto",
"vendor": "logto-io",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute escaping. A SAML application flow with a crafted RelayState from GET or POST /api/saml/:id/authn could inject script that runs on the Logto tenant origin after the user completes login. This issue is fixed in version 1.41.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:54:28.526Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/logto-io/logto/security/advisories/GHSA-cpm5-w86q-w85f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/logto-io/logto/security/advisories/GHSA-cpm5-w86q-w85f"
},
{
"name": "https://github.com/logto-io/logto/pull/9008",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/pull/9008"
},
{
"name": "https://github.com/logto-io/logto/commit/209fa0a5cbe8522f9cf31873239dc6424099bb5e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/commit/209fa0a5cbe8522f9cf31873239dc6424099bb5e"
},
{
"name": "https://github.com/logto-io/logto/releases/tag/v1.41.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/releases/tag/v1.41.0"
}
],
"source": {
"advisory": "GHSA-cpm5-w86q-w85f",
"discovery": "UNKNOWN"
},
"title": "Logto: XSS via unescaped RelayState in SAML auto-submit form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54714",
"datePublished": "2026-07-10T19:54:28.526Z",
"dateReserved": "2026-06-15T22:58:06.564Z",
"dateUpdated": "2026-07-10T19:54:28.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55377 (GCVE-0-2026-55377)
Vulnerability from cvelistv5 – Published: 2026-07-10 19:57 – Updated: 2026-07-10 19:57
VLAI
EPSS
VEX
Title
Logto: Account Center MFA management step-up bypass via WebAuthn registration verification
Summary
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new passkey could be created and verified with only an existing Account API bearer token, then sent in the logto-verification-id header and treated as identityVerified=true by Account Center routes, allowing MFA factor management without proving possession of an existing password, identifier, or MFA factor. This issue is fixed in version 1.41.0.
Severity
8.1 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/logto-io/logto/security/adviso… | x_refsource_CONFIRM |
| https://github.com/logto-io/logto/pull/9110 | x_refsource_MISC |
| https://github.com/logto-io/logto/commit/f56255a7… | x_refsource_MISC |
| https://github.com/logto-io/logto/releases/tag/v1.41.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "logto",
"vendor": "logto-io",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto\u0027s Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new passkey could be created and verified with only an existing Account API bearer token, then sent in the logto-verification-id header and treated as identityVerified=true by Account Center routes, allowing MFA factor management without proving possession of an existing password, identifier, or MFA factor. This issue is fixed in version 1.41.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:57:58.088Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/logto-io/logto/security/advisories/GHSA-q4h3-38gc-4p4j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/logto-io/logto/security/advisories/GHSA-q4h3-38gc-4p4j"
},
{
"name": "https://github.com/logto-io/logto/pull/9110",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/pull/9110"
},
{
"name": "https://github.com/logto-io/logto/commit/f56255a7edf3b22b0ec2fdb814814ce6b0123b74",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/commit/f56255a7edf3b22b0ec2fdb814814ce6b0123b74"
},
{
"name": "https://github.com/logto-io/logto/releases/tag/v1.41.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/releases/tag/v1.41.0"
}
],
"source": {
"advisory": "GHSA-q4h3-38gc-4p4j",
"discovery": "UNKNOWN"
},
"title": "Logto: Account Center MFA management step-up bypass via WebAuthn registration verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55377",
"datePublished": "2026-07-10T19:57:58.088Z",
"dateReserved": "2026-06-16T18:57:40.181Z",
"dateUpdated": "2026-07-10T19:57:58.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55370 (GCVE-0-2026-55370)
Vulnerability from cvelistv5 – Published: 2026-07-10 19:56 – Updated: 2026-07-10 20:14
VLAI
EPSS
VEX
Title
Logto: TOTP code can be replayed within the RFC 6238 validity window (one-time use violation)
Summary
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window = 1 and did not persist or compare the accepted TOTP time-step counter. An attacker who has the victim's first factor and captures a live TOTP value can replay that value to satisfy MFA during the same acceptance window. This issue is fixed in version 1.41.0.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/logto-io/logto/security/adviso… | x_refsource_CONFIRM |
| https://github.com/logto-io/logto/pull/9109 | x_refsource_MISC |
| https://github.com/logto-io/logto/commit/9118867f… | x_refsource_MISC |
| https://github.com/logto-io/logto/releases/tag/v1.41.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T20:14:33.407390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:14:41.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "logto",
"vendor": "logto-io",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto\u0027s existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib\u0027s stateless check with window = 1 and did not persist or compare the accepted TOTP time-step counter. An attacker who has the victim\u0027s first factor and captures a live TOTP value can replay that value to satisfy MFA during the same acceptance window. This issue is fixed in version 1.41.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:56:53.317Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/logto-io/logto/security/advisories/GHSA-6wj7-c66m-6c82",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/logto-io/logto/security/advisories/GHSA-6wj7-c66m-6c82"
},
{
"name": "https://github.com/logto-io/logto/pull/9109",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/pull/9109"
},
{
"name": "https://github.com/logto-io/logto/commit/9118867f6cbadc7291cf913beb4fede91ed5d374",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/commit/9118867f6cbadc7291cf913beb4fede91ed5d374"
},
{
"name": "https://github.com/logto-io/logto/releases/tag/v1.41.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/releases/tag/v1.41.0"
}
],
"source": {
"advisory": "GHSA-6wj7-c66m-6c82",
"discovery": "UNKNOWN"
},
"title": "Logto: TOTP code can be replayed within the RFC 6238 validity window (one-time use violation)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55370",
"datePublished": "2026-07-10T19:56:53.317Z",
"dateReserved": "2026-06-16T18:57:40.181Z",
"dateUpdated": "2026-07-10T20:14:41.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55789 (GCVE-0-2026-55789)
Vulnerability from cvelistv5 – Published: 2026-07-10 19:55 – Updated: 2026-07-10 19:55
VLAI
EPSS
VEX
Title
Logto: SAML IdP injects user-controlled profile attributes raw into signed assertions, allowing privilege escalation at relying Service Providers
Summary
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's self-hosted SAML application IdP built the signed SAML response and assertion by string-substituting user-controlled profile attributes such as name, email, and custom attribute-mapping values into element-text placeholders of a SAML XML template using samlify 2.10.0, which left those placeholders unescaped. An authenticated low-privilege user could place XML markup in a profile attribute so Logto signed a forged SAML attribute, such as an arbitrary role, allowing privilege escalation at relying Service Providers that authorize on SAML attributes. This issue is fixed in version 1.41.0.
Severity
8.5 (High)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/logto-io/logto/security/adviso… | x_refsource_CONFIRM |
| https://github.com/logto-io/logto/pull/9107 | x_refsource_MISC |
| https://github.com/logto-io/logto/commit/90970548… | x_refsource_MISC |
| https://github.com/logto-io/logto/releases/tag/v1.41.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "logto",
"vendor": "logto-io",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto\u0027s self-hosted SAML application IdP built the signed SAML response and assertion by string-substituting user-controlled profile attributes such as name, email, and custom attribute-mapping values into element-text placeholders of a SAML XML template using samlify 2.10.0, which left those placeholders unescaped. An authenticated low-privilege user could place XML markup in a profile attribute so Logto signed a forged SAML attribute, such as an arbitrary role, allowing privilege escalation at relying Service Providers that authorize on SAML attributes. This issue is fixed in version 1.41.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:55:37.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/logto-io/logto/security/advisories/GHSA-vfpw-vq44-4p63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/logto-io/logto/security/advisories/GHSA-vfpw-vq44-4p63"
},
{
"name": "https://github.com/logto-io/logto/pull/9107",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/pull/9107"
},
{
"name": "https://github.com/logto-io/logto/commit/9097054860f0d638d90778d3dcde2ba050b844b6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/commit/9097054860f0d638d90778d3dcde2ba050b844b6"
},
{
"name": "https://github.com/logto-io/logto/releases/tag/v1.41.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/releases/tag/v1.41.0"
}
],
"source": {
"advisory": "GHSA-vfpw-vq44-4p63",
"discovery": "UNKNOWN"
},
"title": "Logto: SAML IdP injects user-controlled profile attributes raw into signed assertions, allowing privilege escalation at relying Service Providers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55789",
"datePublished": "2026-07-10T19:55:37.360Z",
"dateReserved": "2026-06-17T14:40:28.380Z",
"dateUpdated": "2026-07-10T19:55:37.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54714 (GCVE-0-2026-54714)
Vulnerability from cvelistv5 – Published: 2026-07-10 19:54 – Updated: 2026-07-10 19:54
VLAI
EPSS
VEX
Title
Logto: XSS via unescaped RelayState in SAML auto-submit form
Summary
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute escaping. A SAML application flow with a crafted RelayState from GET or POST /api/saml/:id/authn could inject script that runs on the Logto tenant origin after the user completes login. This issue is fixed in version 1.41.0.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/logto-io/logto/security/adviso… | x_refsource_CONFIRM |
| https://github.com/logto-io/logto/pull/9008 | x_refsource_MISC |
| https://github.com/logto-io/logto/commit/209fa0a5… | x_refsource_MISC |
| https://github.com/logto-io/logto/releases/tag/v1.41.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "logto",
"vendor": "logto-io",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute escaping. A SAML application flow with a crafted RelayState from GET or POST /api/saml/:id/authn could inject script that runs on the Logto tenant origin after the user completes login. This issue is fixed in version 1.41.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:54:28.526Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/logto-io/logto/security/advisories/GHSA-cpm5-w86q-w85f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/logto-io/logto/security/advisories/GHSA-cpm5-w86q-w85f"
},
{
"name": "https://github.com/logto-io/logto/pull/9008",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/pull/9008"
},
{
"name": "https://github.com/logto-io/logto/commit/209fa0a5cbe8522f9cf31873239dc6424099bb5e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/commit/209fa0a5cbe8522f9cf31873239dc6424099bb5e"
},
{
"name": "https://github.com/logto-io/logto/releases/tag/v1.41.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/releases/tag/v1.41.0"
}
],
"source": {
"advisory": "GHSA-cpm5-w86q-w85f",
"discovery": "UNKNOWN"
},
"title": "Logto: XSS via unescaped RelayState in SAML auto-submit form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54714",
"datePublished": "2026-07-10T19:54:28.526Z",
"dateReserved": "2026-06-15T22:58:06.564Z",
"dateUpdated": "2026-07-10T19:54:28.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}