Skip to main content

Logto EUVDEUVD-2026-43012

| CVE-2026-55377 HIGH
Improper Authentication (CWE-287)
2026-07-10 security-advisories@github.com
8.1
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.1 HIGH

Network-reachable and low-complexity but needs an existing valid bearer token (PR:L); impact is chiefly integrity of MFA/account settings (I:H) with only incidental confidentiality (C:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 21:02 EUVD
Analysis Generated
Jul 10, 2026 - 20:31 vuln.today

DescriptionCVE.org

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new passkey could be created and verified with only an existing Account API bearer token, then sent in the logto-verification-id header and treated as identityVerified=true by Account Center routes, allowing MFA factor management without proving possession of an existing password, identifier, or MFA factor. This issue is fixed in version 1.41.0.

AnalysisAI

Authentication step-up bypass in Logto self-hosted auth infrastructure prior to 1.41.0 lets an already-authenticated user manage MFA factors without re-proving their identity. The Account Center accepted any of the user's own verified records - including a self-created WebAuthn passkey-registration record - as proof of identity verification, so an attacker holding only a valid Account API bearer token could forge the logto-verification-id header and satisfy step-up checks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid Account API bearer token
Delivery
Start WebAuthn passkey registration verification
Exploit
Receive isVerified record ID
Execution
Replay ID in logto-verification-id header
Persist
Pass Account Center step-up as identityVerified
Impact
Add/remove MFA factors for account takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already possess a valid, active Account API bearer token for the target user (CVSS PR:L - authenticated), and the deployment must expose Logto's Account Center step-up flow with WebAuthn passkey registration enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, base 8.1) reflects a network-reachable, low-complexity flaw requiring some existing privilege (PR:L) and no user interaction - consistent with the description, which requires a valid Account API bearer token. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains a victim's active Account API bearer token (for example via token theft or an authenticated malicious user acting on their own account) initiates a WebAuthn passkey-registration verification, which yields an isVerified record without proving any pre-existing credential. They send that record's ID in the logto-verification-id header to Account Center MFA routes, which treat them as identity-verified, letting them add or remove MFA factors and pave the way to persistent account takeover. …
Remediation Vendor-released patch: upgrade Logto to version 1.41.0 or later, which corrects the step-up check to require a verification record that actually proves possession of an existing credential rather than accepting any isVerified record (see PR #9110 and commit f56255a). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Logto self-hosted deployments and identify instances running versions prior to 1.41.0; coordinate a maintenance window. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43012 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy