CVE-2026-55789 in Logtoinfo

Summary

by MITRE • 07/10/2026

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's self-hosted SAML application IdP built the signed SAML response and assertion by string-substituting user-controlled profile attributes such as name, email, and custom attribute-mapping values into element-text placeholders of a SAML XML template using samlify 2.10.0, which left those placeholders unescaped. An authenticated low-privilege user could place XML markup in a profile attribute so Logto signed a forged SAML attribute, such as an arbitrary role, allowing privilege escalation at relying Service Providers that authorize on SAML attributes. This issue is fixed in version 1.41.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability identified in Logto versions prior to 1.41.0 represents a critical security flaw within the self-hosted SAML Identity Provider implementation that directly impacts authentication and authorization mechanisms. This issue stems from improper handling of user-controlled input during the generation of SAML responses, creating an environment where authenticated users can manipulate system behavior through crafted profile attributes. The vulnerability specifically affects the SAML assertion construction process which relies on samlify 2.10.0 library for template-based XML generation, where string substitution operations fail to properly escape potentially malicious user input before incorporation into XML elements.

The technical flaw manifests as a classic insecure template rendering vulnerability where profile attributes containing user-controlled data are directly inserted into SAML XML template placeholders without adequate sanitization or escaping mechanisms. When an authenticated user with low privileges modifies their profile information to include XML markup within fields such as name, email, or custom attribute mappings, the system processes these values through direct string substitution rather than proper XML encoding. This creates opportunities for attackers to inject arbitrary XML content that gets embedded into the signed SAML assertion, allowing them to forge attribute values that could include unauthorized roles or permissions.

The operational impact of this vulnerability extends beyond simple privilege escalation to potentially compromise entire relying party systems that trust SAML assertions from the vulnerable Logto instance. When Service Providers receive forged SAML attributes containing unauthorized roles, they may grant access or elevated privileges based on these manipulated claims, effectively bypassing the intended authorization controls. This represents a significant risk in multi-tenant environments where different users require distinct access levels, as a single compromised low-privilege account could potentially escalate to administrator-level access within applications relying on Logto for authentication.

This vulnerability aligns with CWE-74 and CWE-79 classifications, specifically addressing weaknesses in data sanitization and input validation within XML processing contexts. The issue also maps to ATT&CK technique T1078.004 which covers legitimate credentials used for lateral movement, as attackers can leverage this flaw to assume roles within relying applications. Additionally, the vulnerability demonstrates characteristics of privilege escalation through malformed input processing that could be categorized under ATT&CK technique T1548.005 related to abuse of service accounts. The fix implemented in version 1.41.0 addresses this by introducing proper XML escaping and sanitization of user-controlled attributes before template substitution, ensuring that all profile data is properly encoded to prevent XML injection attacks.

Organizations utilizing Logto should prioritize immediate upgrade to version 1.41.0 or later to mitigate this vulnerability. Additional mitigations include implementing strict input validation for profile attributes, monitoring SAML assertion content for anomalies, and establishing proper access controls around user profile modification capabilities. Security teams should also review relying party configurations to ensure they implement appropriate attribute-based access control policies that can detect and reject suspicious attribute values. The vulnerability highlights the importance of proper input sanitization in XML processing contexts and demonstrates how seemingly benign template substitution operations can create significant security risks when user-controlled data is not properly escaped or validated.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!