PT-2026-57281 · Logto Io · Logto

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-55370

CVSS v3.1

6.4

Medium

VectorAV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window = 1 and did not persist or compare the accepted TOTP time-step counter. An attacker who has the victim's first factor and captures a live TOTP value can replay that value to satisfy MFA during the same acceptance window. This issue is fixed in version 1.41.0.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55370

Affected Products

Logto