CVE-2026-54714 in logto
Summary
by MITRE • 07/10/2026
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute escaping. A SAML application flow with a crafted RelayState from GET or POST /api/saml/:id/authn could inject script that runs on the Logto tenant origin after the user completes login. This issue is fixed in version 1.41.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability exists within Logto's SAML implementation where the core package fails to properly escape HTML attributes when reflecting SAML parameters into auto-submit HTML forms. The flaw occurs in the SamlApplication/utils.ts file where RelayState, SAMLResponse, and actionUrl values are directly injected into HTML attributes without appropriate sanitization. When a malicious actor crafts a SAML request with specially formatted RelayState parameters, these unescaped values can be embedded into HTML attributes such as value or href attributes within the auto-submit form. This creates a classic cross-site scripting vulnerability that allows attackers to inject malicious scripts that execute in the context of the Logto tenant origin.
The technical implementation involves the reflection of user-controllable SAML parameters directly into HTML form elements without proper HTML attribute escaping mechanisms. The vulnerable code path processes SAML authentication requests from GET or POST methods at /api/saml/:id/authn endpoints where the RelayState parameter is particularly dangerous as it can contain arbitrary data that gets reflected into HTML attributes. When users complete the login flow and the auto-submit form executes, any malicious script injected through these parameters runs with the privileges of the logged-in user within the Logto tenant's security context.
The operational impact of this vulnerability is significant as it enables authenticated attackers to perform persistent cross-site scripting attacks against Logto tenants. Once an attacker successfully crafts a malicious SAML request with crafted RelayState values, they can execute arbitrary JavaScript code that runs in the victim's browser session. This could potentially allow for session hijacking, data exfiltration, privilege escalation, or even complete account takeover within the affected Logto tenant environment. The vulnerability affects all versions prior to 1.41.0 and represents a critical security risk for organizations relying on SAML authentication flows through Logto.
The fix implemented in version 1.41.0 addresses this issue by introducing proper HTML attribute escaping mechanisms before reflecting SAML parameters into the auto-submit HTML form. This remediation aligns with established security practices and follows the principles outlined in CWE-79 - Cross-site Scripting and ATT&CK technique T1531 - Account Access Removal. Organizations should immediately upgrade to version 1.41.0 or later to mitigate this vulnerability, while also implementing additional monitoring for suspicious SAML authentication requests and ensuring proper input validation at all entry points where user-supplied data is processed and reflected into HTML output. The vulnerability demonstrates the importance of proper sanitization of user-controllable data in web applications and highlights how seemingly innocuous parameter reflection can create critical security exposures when proper escaping mechanisms are not implemented.