Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Network-reachable and low-complexity but needs an existing valid bearer token (PR:L); impact is chiefly integrity of MFA/account settings (I:H) with only incidental confidentiality (C:L).
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new passkey could be created and verified with only an existing Account API bearer token, then sent in the logto-verification-id header and treated as identityVerified=true by Account Center routes, allowing MFA factor management without proving possession of an existing password, identifier, or MFA factor. This issue is fixed in version 1.41.0.
AnalysisAI
Authentication step-up bypass in Logto self-hosted auth infrastructure prior to 1.41.0 lets an already-authenticated user manage MFA factors without re-proving their identity. The Account Center accepted any of the user's own verified records - including a self-created WebAuthn passkey-registration record - as proof of identity verification, so an attacker holding only a valid Account API bearer token could forge the logto-verification-id header and satisfy step-up checks. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already possess a valid, active Account API bearer token for the target user (CVSS PR:L - authenticated), and the deployment must expose Logto's Account Center step-up flow with WebAuthn passkey registration enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, base 8.1) reflects a network-reachable, low-complexity flaw requiring some existing privilege (PR:L) and no user interaction - consistent with the description, which requires a valid Account API bearer token. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who obtains a victim's active Account API bearer token (for example via token theft or an authenticated malicious user acting on their own account) initiates a WebAuthn passkey-registration verification, which yields an isVerified record without proving any pre-existing credential. They send that record's ID in the logto-verification-id header to Account Center MFA routes, which treat them as identity-verified, letting them add or remove MFA factors and pave the way to persistent account takeover. … |
| Remediation | Vendor-released patch: upgrade Logto to version 1.41.0 or later, which corrects the step-up check to require a verification record that actually proves possession of an existing credential rather than accepting any isVerified record (see PR #9110 and commit f56255a). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Logto self-hosted deployments and identify instances running versions prior to 1.41.0; coordinate a maintenance window. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43012