CVE-2026-55789 is a high-severity vulnerability in Logto's self-hosted SAML application IdP. Prior to version 1.41.0, an authenticated low-privilege user could inject XML markup into profile attributes, allowing the creation of forged SAML attributes, such as arbitrary roles, and potentially leading to privilege escalation at relying Service Providers that authorize on SAML attributes. This vulnerability [truncated]
CVE-2026-55377 is a high-severity vulnerability in Logto's Account Center step-up check. Prior to version 1.41.0, an attacker could create and verify a WebAuthn registration verification record using only an existing Account API bearer token. This allowed for MFA factor management without proving possession of an existing password, identifier, or MFA factor. The vulnerability has a CVSS score of 8.1 and i [truncated]
CVE-2026-55370 is a medium-severity vulnerability in Logto's TOTP verification process. An attacker can replay a successfully used TOTP code within the RFC 6238 acceptance window. This issue is fixed in version 1.41.0. The vulnerability affects users of Logto's authentication infrastructure who use TOTP for multi-factor authentication. The issue arises from the verifier using otplib's stateless check with [truncated]
CVE-2026-54714 is a reflected cross-site scripting (XSS) vulnerability in the Logto open-source auth infrastructure for SaaS and AI apps. The vulnerability exists in the SAML application flow, specifically in the @logto/core package. An attacker could inject script into the Logto tenant origin after a user completes login by crafting a RelayState value in the GET or POST /api/saml/:id/authn request. The i [truncated]