PatchSiren

logto-io CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH logto-io CVE published 2026-07-10

CVE-2026-55789

CVE-2026-55789 is a high-severity vulnerability in Logto's self-hosted SAML application IdP. Prior to version 1.41.0, an authenticated low-privilege user could inject XML markup into profile attributes, allowing the creation of forged SAML attributes, such as arbitrary roles, and potentially leading to privilege escalation at relying Service Providers that authorize on SAML attributes. This vulnerability [truncated]

HIGH logto-io CVE published 2026-07-10

CVE-2026-55377

CVE-2026-55377 is a high-severity vulnerability in Logto's Account Center step-up check. Prior to version 1.41.0, an attacker could create and verify a WebAuthn registration verification record using only an existing Account API bearer token. This allowed for MFA factor management without proving possession of an existing password, identifier, or MFA factor. The vulnerability has a CVSS score of 8.1 and i [truncated]

MEDIUM logto-io CVE published 2026-07-10

CVE-2026-55370

CVE-2026-55370 is a medium-severity vulnerability in Logto's TOTP verification process. An attacker can replay a successfully used TOTP code within the RFC 6238 acceptance window. This issue is fixed in version 1.41.0. The vulnerability affects users of Logto's authentication infrastructure who use TOTP for multi-factor authentication. The issue arises from the verifier using otplib's stateless check with [truncated]

MEDIUM logto-io CVE published 2026-07-10

CVE-2026-54714

CVE-2026-54714 is a reflected cross-site scripting (XSS) vulnerability in the Logto open-source auth infrastructure for SaaS and AI apps. The vulnerability exists in the SAML application flow, specifically in the @logto/core package. An attacker could inject script into the Logto tenant origin after a user completes login by crafting a RelayState value in the GET or POST /api/saml/:id/authn request. The i [truncated]