CVE-2026-55370
Received Received - Intake

Replayable TOTP Code in Logto Prior to 1.41.0

Vulnerability report for CVE-2026-55370, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window = 1 and did not persist or compare the accepted TOTP time-step counter. An attacker who has the victim's first factor and captures a live TOTP value can replay that value to satisfy MFA during the same acceptance window. This issue is fixed in version 1.41.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
logto logto 1.41.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-294 A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Logto's TOTP (Time-based One-Time Password) verification system used in multi-factor authentication (MFA). Prior to version 1.41.0, the system accepted a previously used TOTP code again if it was still within the RFC 6238 acceptance window. This happened because the verifier used a stateless check with a window of 1 and did not track or compare the time-step counter of the accepted TOTP code. As a result, an attacker who has the victim's first factor (like a password) and captures a live TOTP code can replay that code to bypass MFA during the same acceptance window.

The issue is fixed by implementing a stateful replay prevention mechanism that tracks the last used TOTP time-step counter for each user. This ensures that each TOTP code can only be used once, even if it falls within the allowed time window.

Impact Analysis

This vulnerability can allow an attacker to bypass multi-factor authentication if they have access to the victim's first factor (such as a password) and can capture a valid TOTP code. By replaying the captured TOTP code within the acceptance window, the attacker can gain unauthorized access to the victim's account or system.

The impact includes a compromise of confidentiality and integrity, as unauthorized users may access sensitive information or perform actions as the victim. However, availability is not affected.

Detection Guidance

This vulnerability involves replay attacks on TOTP codes within the RFC 6238 acceptance window. Detection would involve monitoring for repeated use of the same TOTP code or time-step counter during MFA verification attempts.

Since the vulnerability is related to the reuse of TOTP codes, you can look for multiple authentication attempts using the same TOTP value or time-step counter within a short time frame.

However, the provided resources do not include specific commands or tools to detect this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Logto to version 1.41.0 or later, where the issue is fixed.

The fix involves implementing a stateful replay prevention mechanism that tracks the last used TOTP time-step counter and rejects any reused or older TOTP codes within the acceptance window.

  • Upgrade Logto to version 1.41.0 or newer.
  • Ensure that the MFA verification system uses the updated logic that stores and enforces the accepted TOTP time-step counter.
  • Remove or avoid logging raw TOTP codes in audit logs to reduce sensitive data exposure.
  • Apply any patches or updates that address race conditions in the replay prevention mechanism.
Compliance Impact

The vulnerability CVE-2026-55370 allows replay attacks on the TOTP-based MFA system, potentially enabling unauthorized access if an attacker has the victim's first factor and a captured TOTP code.

Such unauthorized access risks compromising confidentiality and integrity of user data, which can negatively impact compliance with standards and regulations like GDPR and HIPAA that require strong authentication controls to protect sensitive information.

The vulnerability's fix, which enforces one-time use of TOTP codes and removes raw TOTP codes from audit logs, helps mitigate these risks by preventing replay attacks and reducing sensitive data exposure, thereby supporting compliance efforts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55370. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart