PT-2026-57281 · Logto Io · Logto
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-55370
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window = 1 and did not persist or compare the accepted TOTP time-step counter. An attacker who has the victim's first factor and captures a live TOTP value can replay that value to satisfy MFA during the same acceptance window. This issue is fixed in version 1.41.0.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Logto