PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55370 logto-io CVE debrief

CVE-2026-55370 is a medium-severity vulnerability in Logto's TOTP verification process. An attacker can replay a successfully used TOTP code within the RFC 6238 acceptance window. This issue is fixed in version 1.41.0. The vulnerability affects users of Logto's authentication infrastructure who use TOTP for multi-factor authentication. The issue arises from the verifier using otplib's stateless check with window = 1 and not persisting or comparing the accepted TOTP time-step counter.

Vendor
logto-io
Product
logto
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Logto's authentication infrastructure, especially those using TOTP for multi-factor authentication, should be aware of this vulnerability and update to version 1.41.0 or later. Affected operators and security teams should review authentication infrastructure and monitor for suspicious attempts. Vulnerability management and platform security teams should prioritize updating Logto deployments.

Technical summary

Prior to version 1.41.0, Logto's TOTP verification process accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window. This was due to the verifier using otplib's stateless check with window = 1 and not persisting or comparing the accepted TOTP time-step counter. An attacker who has the victim's first factor and captures a live TOTP value can replay that value to satisfy MFA during the same acceptance window. The fix in version 1.41.0 addresses this issue by properly handling TOTP code validation.

Defensive priority

Medium priority for users of Logto's authentication infrastructure who use TOTP for multi-factor authentication. Defensive actions should focus on updating Logto, reviewing TOTP verification settings, and monitoring authentication attempts.

Recommended defensive actions

  • Update Logto to version 1.41.0 or later
  • Review and adjust TOTP verification settings
  • Monitor for suspicious authentication attempts
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-10T20:16:46.333Z and has not been modified since then. The NVD entry is currently 6.4, MEDIUM severity. The Logto TOTP verification process vulnerability allows an attacker to replay a successfully used TOTP code within the RFC 6238 acceptance window. This issue is fixed in version 1.41.0. Evidence limits suggest verifying TOTP code usage and checking for updates to Logto. Defensive verification tasks include reviewing authentication infrastructure and monitoring for suspicious attempts.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T20:16:46.333Z and has not been modified since then.