PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55377 logto-io CVE debrief

CVE-2026-55377 is a high-severity vulnerability in Logto's Account Center step-up check. Prior to version 1.41.0, an attacker could create and verify a WebAuthn registration verification record using only an existing Account API bearer token. This allowed for MFA factor management without proving possession of an existing password, identifier, or MFA factor. The vulnerability has a CVSS score of 8.1 and is considered high-severity. Users of Logto's authentication infrastructure should be aware of this vulnerability and take steps to mitigate it. The issue is fixed in version 1.41.0.

Vendor
logto-io
Product
logto
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Logto's authentication infrastructure, particularly those who have not upgraded to version 1.41.0, should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and updating authentication and MFA configurations, monitoring for suspicious activity related to Account Center and MFA factor management, and ensuring that all users are aware of the potential risks.

Technical summary

The vulnerability existed in Logto's Account Center step-up check prior to version 1.41.0. An attacker could create a WebAuthn registration verification record with an existing Account API bearer token, treating it as identityVerified=true. This allowed for MFA factor management without proper authentication. The issue is fixed in version 1.41.0. Users should review authentication and MFA configurations, and monitor for suspicious activity related to Account Center and MFA factor management.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Logto version 1.41.0 or later
  • Review and update authentication and MFA configurations
  • Monitor for suspicious activity related to Account Center and MFA factor management
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-07-10T20:16:46.460Z and has not been modified since then. The NVD entry is currently being processed. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability exists in Logto's Account Center step-up check prior to version 1.41.0. Defenders should review the official advisory and CVE record for more information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T20:16:46.460Z and has not been modified since then.