Skip to main content

Logto CVE-2026-55789

| EUVDEUVD-2026-43010 HIGH
XML Injection (aka Blind XPath Injection) (CWE-91)
2026-07-10 security-advisories@github.com
8.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
vuln.today AI
8.5 HIGH

Any authenticated low-privilege account (PR:L) can inject over the network with low complexity; forged signed attributes give I:H, and the trust boundary crossed to relying SPs justifies S:C with A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 21:02 EUVD
Analysis Generated
Jul 10, 2026 - 20:33 vuln.today

DescriptionCVE.org

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's self-hosted SAML application IdP built the signed SAML response and assertion by string-substituting user-controlled profile attributes such as name, email, and custom attribute-mapping values into element-text placeholders of a SAML XML template using samlify 2.10.0, which left those placeholders unescaped. An authenticated low-privilege user could place XML markup in a profile attribute so Logto signed a forged SAML attribute, such as an arbitrary role, allowing privilege escalation at relying Service Providers that authorize on SAML attributes. This issue is fixed in version 1.41.0.

AnalysisAI

Privilege escalation in Logto's self-hosted SAML IdP (before 1.41.0) lets an authenticated low-privilege user forge signed SAML attributes such as roles, enabling elevated access at any relying Service Provider that authorizes on SAML attributes. Because user-controlled profile fields (name, email, custom attribute-mapping values) were string-substituted into an unescaped XML template via samlify 2.10.0, an attacker embeds XML markup that Logto then cryptographically signs as legitimate. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege Logto user
Delivery
Inject XML markup into profile attribute
Exploit
Initiate SAML login to relying SP
Execution
Logto signs forged assertion with elevated role
Impact
SP authorizes attacker as privileged user

Vulnerability AssessmentAI

Exploitation Exploitation requires that Logto be deployed with the self-hosted SAML application IdP feature enabled and that at least one relying Service Provider authorizes based on SAML attributes (e.g., role, group). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N, score 8.5) aligns well with the described mechanics: remote, low-complexity, requiring only a low-privilege authenticated account, with high integrity impact and a scope change reflecting compromise of downstream Service Providers - a distinct trust boundary from Logto itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privilege user with a valid Logto account edits a profile attribute (such as display name or a custom attribute-mapping value) to embed SAML XML markup declaring an elevated role. When that user authenticates via SAML to a relying Service Provider, Logto substitutes and signs the assertion containing the forged attribute, and the SP grants admin-level access based on the trusted, signed role. …
Remediation Vendor-released patch: upgrade Logto to 1.41.0 or later, which is the fix released in https://github.com/logto-io/logto/releases/tag/v1.41.0 (code changes in PR https://github.com/logto-io/logto/pull/9107 and commit 9097054860f0d638d90778d3dcde2ba050b844b6). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Logto self-hosted deployments and document current versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55789 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy