Skip to main content

Logto CVE-2026-55370

| EUVDEUVD-2026-43011 MEDIUM
Authentication Bypass by Capture-replay (CWE-294)
2026-07-10 security-advisories@github.com
6.4
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.4 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
6.4 MEDIUM

Agrees with provided vector: network-exploitable but requires captured live TOTP (AC:H), stolen first-factor credentials (PR:L), and victim interaction (UI:R); MFA bypass yields C:H/I:H with no availability impact.

3.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 21:02 EUVD
Analysis Generated
Jul 10, 2026 - 20:38 vuln.today

DescriptionCVE.org

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window = 1 and did not persist or compare the accepted TOTP time-step counter. An attacker who has the victim's first factor and captures a live TOTP value can replay that value to satisfy MFA during the same acceptance window. This issue is fixed in version 1.41.0.

AnalysisAI

TOTP replay vulnerability in Logto prior to 1.41.0 allows an attacker who holds a victim's first-factor credentials and captures a live TOTP code to replay that code within the same RFC 6238 acceptance window, bypassing multi-factor authentication entirely. The root cause is otplib's stateless verification call with window=1, which validates the time-based OTP cryptographically but does not persist the last-accepted time-step counter - leaving used codes valid for replay until the 30-second window expires. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain victim first-factor credentials via phishing or breach
Delivery
Position as adversary-in-the-middle or observe victim TOTP use
Exploit
Capture live TOTP code during active time-step window
Execution
Submit first-factor credentials to legitimate Logto endpoint
Persist
Replay captured TOTP code within same window to satisfy MFA
Impact
Gain full authenticated session, bypassing multi-factor authentication

Vulnerability AssessmentAI

Exploitation Exploitation requires three simultaneous conditions: (1) the attacker must already hold the victim's first-factor credentials (username and password) - PR:L in the CVSS vector reflects this prerequisite; (2) the target Logto deployment must have TOTP-based MFA enabled for the victim's account - accounts without TOTP enrollment are entirely unaffected; and (3) the attacker must observe or intercept a live, valid TOTP code generated by the victim and replay it to the Logto endpoint within the same RFC 6238 time-step window, which the UI:R and AC:H metrics jointly model. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.4 (Medium) accurately reflects the genuine attack complexity: the adversary must simultaneously possess the victim's first-factor credentials (PR:L) and capture a live TOTP code within its active time window (AC:H, UI:R - victim must have recently used the code). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a real-time adversary-in-the-middle phishing page proxies the victim's login session to the legitimate Logto instance: the victim enters their username, password, and TOTP code on the phishing page, which immediately forwards those credentials upstream to authenticate. Before the victim's 30-second TOTP window expires, the attacker replays the same captured TOTP code against the real Logto endpoint using the victim's stolen first-factor credentials, successfully satisfying MFA and establishing an independent authenticated session. …
Remediation Upgrade Logto to version 1.41.0 or later, available at https://github.com/logto-io/logto/releases/tag/v1.41.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55370 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy