CVE-2026-54714
Received Received - Intake

Cross-Site Scripting in Logto Auth Platform

Vulnerability report for CVE-2026-54714, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute escaping. A SAML application flow with a crafted RelayState from GET or POST /api/saml/:id/authn could inject script that runs on the Logto tenant origin after the user completes login. This issue is fixed in version 1.41.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
logto core to 1.41.0 (exc)
logto logto to 1.41.0 (exc)
logto logto 1.41.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54714 is a Cross-Site Scripting (XSS) vulnerability in the Logto authentication system that occurs when the SAML RelayState parameter is reflected in an auto-submit HTML form without proper HTML attribute escaping.

This allows an attacker to inject malicious scripts that execute in the context of the Logto Identity Provider (IdP) origin during SAML login responses.

The vulnerability affects Logto versions 1.40.1 and earlier and is triggered by a crafted SAML AuthnRequest that passes validation.

The issue was fixed in version 1.41.0 by properly escaping HTML attribute values before interpolation, preventing script execution.

Impact Analysis

This vulnerability can allow an attacker to inject and execute malicious scripts in the context of the Logto tenant origin after a user completes login.

  • The injected script can perform actions such as session or cookie theft.
  • It can also enable credential harvesting.

Because the attack is network-based and requires user interaction, it has a moderate severity with a CVSS score of 6.1.

Detection Guidance

This vulnerability can be detected by monitoring for SAML authentication requests that include a crafted RelayState parameter which may contain unescaped HTML or script content. Specifically, look for GET or POST requests to the endpoint /api/saml/:id/authn that include suspicious RelayState values.

Commands to detect potential exploitation attempts could include inspecting HTTP request logs or capturing network traffic for suspicious RelayState parameters containing script tags or unescaped quotes.

  • Use tools like curl or wget to simulate requests with crafted RelayState parameters and observe the response for reflected script content.
  • Example command to search logs for suspicious RelayState values: grep -E 'RelayState=.*<script|RelayState=.*"' /path/to/logs
  • Use a network packet capture tool (e.g., tcpdump or Wireshark) to filter HTTP POST or GET requests to /api/saml/:id/authn and analyze RelayState parameters.
Mitigation Strategies

The primary mitigation step is to upgrade Logto to version 1.41.0 or later, where the vulnerability is fixed by properly escaping HTML attribute values in the SAML auto-submit form.

Until the upgrade can be applied, consider restricting access to the SAML authentication endpoint to trusted sources and monitoring for suspicious RelayState parameters.

Additionally, ensure that the form action URL only allows HTTP or HTTPS schemes to prevent scriptable URLs from being executed.

Implement logging and alerting on unusual SAML authentication requests that contain unexpected or malformed RelayState values.

Compliance Impact

The vulnerability is a Cross-Site Scripting (XSS) issue that allows attackers to inject malicious scripts during the SAML login process, potentially leading to session or cookie theft and credential harvesting.

Such unauthorized access and data exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding user credentials and personal data against unauthorized access and breaches.

By enabling script injection on the identity provider's origin, the vulnerability increases the risk of data leakage and unauthorized actions, which could violate the confidentiality and integrity requirements mandated by these standards.

The fix, introduced in version 1.41.0, mitigates this risk by properly escaping HTML attribute values and restricting form action URLs, thereby helping maintain compliance with security best practices required by such regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54714. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart