CVE-2026-55370 in Logto
Summary
by MITRE • 07/10/2026
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window = 1 and did not persist or compare the accepted TOTP time-step counter. An attacker who has the victim's first factor and captures a live TOTP value can replay that value to satisfy MFA during the same acceptance window. This issue is fixed in version 1.41.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability identified in Logto versions prior to 1.41.0 represents a critical flaw in multi-factor authentication implementation that directly impacts the security posture of SaaS and AI applications relying on this open-source authentication infrastructure. This weakness stems from improper state management during TOTP (Time-based One-Time Password) verification processes, creating a window of opportunity for authenticated attackers to exploit the system's trust model. The issue specifically affects the TOTP verification mechanism that was designed to accept time-based codes within an RFC 6238-compliant acceptance window of one time-step.
The technical flaw manifests in how Logto's authentication system handles TOTP code validation through its integration with otplib library. While the system correctly implements a stateless verification approach with a window parameter set to 1, it fails to maintain persistent state tracking of previously accepted time-steps. This design choice allows for replay attacks where an attacker who has already obtained a valid first-factor credential and captured a legitimate TOTP value can reuse that specific code during the same acceptance window period. The absence of time-step counter comparison means that the system treats each valid code as independent rather than recognizing it as a previously used authentication factor.
The operational impact of this vulnerability extends beyond simple authentication bypasses, creating significant security implications for applications using Logto's infrastructure. Attackers who successfully capture a TOTP value during an active session can leverage this information to authenticate multiple times within the acceptance window, effectively undermining the core principle of time-based one-time passwords that relies on code uniqueness and temporal validity. This vulnerability particularly affects environments where MFA is considered a critical security control, as it reduces the effectiveness of the second authentication factor from providing robust protection to offering minimal resistance against determined attackers.
This security weakness aligns with CWE-310 (Cryptographic Issues) and specifically relates to improper handling of time-based authentication mechanisms. The vulnerability also maps to ATT&CK technique T1566.002 (Phishing: Spearphishing Attachment) when combined with initial compromise through credential theft, as attackers can leverage captured TOTP values to maintain persistent access. Additionally, it demonstrates a failure in implementing proper session management and state tracking that should be fundamental to any secure authentication system. Organizations utilizing Logto versions before 1.41.0 face increased risk of account takeovers and unauthorized access, particularly in scenarios where the first factor has been compromised through phishing or credential stuffing attacks.
The fix implemented in version 1.41.0 addresses this issue by introducing proper state persistence mechanisms that track accepted TOTP time-steps and prevent reuse of previously validated codes within their acceptance windows. This remediation ensures that each valid TOTP code can only be used once, maintaining the temporal security properties that time-based authentication protocols are designed to provide. Organizations should immediately upgrade to version 1.41.0 or later to mitigate this vulnerability, while also implementing additional monitoring for unusual authentication patterns that might indicate exploitation attempts. Security teams should conduct thorough assessments of their Logto implementations to verify proper state management and ensure no other similar vulnerabilities exist in their multi-factor authentication systems.