PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55789 logto-io CVE debrief

CVE-2026-55789 is a high-severity vulnerability in Logto's self-hosted SAML application IdP. Prior to version 1.41.0, an authenticated low-privilege user could inject XML markup into profile attributes, allowing the creation of forged SAML attributes, such as arbitrary roles, and potentially leading to privilege escalation at relying Service Providers that authorize on SAML attributes. This vulnerability has a significant impact on the security of Logto's self-hosted SAML application IdP and requires immediate attention.

Vendor
logto-io
Product
logto
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Logto's self-hosted SAML application IdP, especially those with low-privilege user accounts, should be aware of this vulnerability and take immediate action to update to version 1.41.0 or later. Additionally, administrators and security teams responsible for managing and securing Logto's self-hosted SAML application IdP should review and restrict user-controlled profile attributes, monitor for suspicious SAML attribute changes, and implement additional authentication and authorization controls.

Technical summary

The vulnerability exists due to the improper handling of user-controlled profile attributes in Logto's SAML application IdP. Specifically, the samlify library (version 2.10.0) is used to build the signed SAML response and assertion by string-substituting user-controlled profile attributes into element-text placeholders of a SAML XML template. However, these placeholders are left unescaped, allowing an authenticated low-privilege user to inject XML markup and create forged SAML attributes. This vulnerability can be exploited by an authenticated low-privilege user to potentially escalate privileges at relying Service Providers that authorize on SAML attributes.

Defensive priority

Highest priority should be given to updating Logto to version 1.41.0 or later. In addition, review and restrict user-controlled profile attributes, monitor for suspicious SAML attribute changes, and implement additional authentication and authorization controls. Compensating controls for exposed systems should be reviewed while remediation is scheduled and verified. Relevant monitoring, detection, and logs for exposed assets should be checked for extra review. Exceptions, retest remediated assets, and close the item only after evidence is documented. Asset inventory and source tracking should be considered as part of the defensive strategy. Rollback/change windows should be planned for updates or mitigations through normal change control where exposure is confirmed. The impact of this vulnerability on the organization should be carefully assessed and addressed accordingly. It is also essential to verify the authenticity of any updates or patches before applying them to ensure the security of the system. Furthermore, it is crucial to educate users about the potential risks associated with this vulnerability and provide them with the necessary guidance and support to mitigate these risks effectively. Lastly, it is vital to continuously monitor the system for any suspicious activity and have an incident response plan in place in case of a potential security breach. The organization should also consider implementing additional security measures, such as multi-factor authentication and access controls, to further enhance the security of Logto's self-hosted SAML application IdP. By taking these steps, the organization can minimize the risk associated with this vulnerability and protect its systems and data from potential threats. The organization should also review its current security policies and procedures to ensure that they are adequate and effective in addressing the potential risks associated with this vulnerability. Moreover, it is essential to provide ongoing training and awareness programs for users to educate them about the potential risks associated with this vulnerability and the necessary steps to take to mitigate these risks. The organization should not

Recommended defensive actions

  • Update Logto to version 1.41.0 or later
  • Review and restrict user-controlled profile attributes
  • Monitor for suspicious SAML attribute changes
  • Implement additional authentication and authorization controls
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-10T20:16:47.933Z and has not been modified since then. The NVD entry is currently 8.5 HIGH. Limited details are available about the vulnerability, and further investigation is required to fully understand the impact. The vulnerability exists in Logto's self-hosted SAML application IdP prior to version 1.41.0. An authenticated low-privilege user could inject XML markup into profile attributes, allowing the creation of forged SAML attributes, such as arbitrary roles, and potentially leading to privilege escalation at relying Service Providers that authorize on SAML attributes.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T20:16:47.933Z and has not been modified since then.