CVE-2026-55377
Received Received - Intake

Authentication Bypass in Logto Account Center

Vulnerability report for CVE-2026-55377, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new passkey could be created and verified with only an existing Account API bearer token, then sent in the logto-verification-id header and treated as identityVerified=true by Account Center routes, allowing MFA factor management without proving possession of an existing password, identifier, or MFA factor. This issue is fixed in version 1.41.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
logto logto to 1.41.0 (exc)
logto logto 1.41.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55377 is a vulnerability in Logto's Account Center step-up verification process. Before version 1.41.0, the system accepted any active verification record with isVerified set to true for step-up checks, including WebAuthn registration records. This allowed an attacker with a hijacked user session and a valid Account API bearer token to create and verify a WebAuthn registration record without proper user permission validation.

Once verified, this record could be used to bypass multi-factor authentication (MFA) step-up verification, enabling the attacker to manage MFA factors (add, delete, or replace) without needing the user's existing password, identifier, or MFA factors.

The root cause was that the authentication middleware treated all verified records equally, regardless of their purpose, allowing unauthorized access through improper authentication.

Compliance Impact

This vulnerability allows an attacker to bypass Multi-Factor Authentication (MFA) step-up verification and manage MFA factors without proper user credential verification. Such unauthorized access weakens account security and could lead to unauthorized data access or manipulation.

By enabling unauthorized access and persistence in user accounts, this issue could potentially lead to violations of security requirements mandated by common standards and regulations like GDPR and HIPAA, which require strong authentication controls to protect personal and sensitive data.

Therefore, the vulnerability undermines compliance with these regulations by compromising the integrity of authentication mechanisms designed to protect user identity and data privacy.

Impact Analysis

This vulnerability can severely weaken account security by allowing attackers to bypass MFA step-up verification if they have a hijacked user session and a valid bearer token.

Attackers can add, delete, or replace MFA factors without proving possession of existing credentials, which can lead to persistent unauthorized access.

This unauthorized access can hinder legitimate user recovery and increase the risk of account takeover.

Detection Guidance

Detection of this vulnerability involves identifying whether the Logto Account Center step-up verification process accepts WebAuthn registration verification records or other unauthorized verification records as valid for identity verification.

Specifically, you should check if any active verification records with isVerified === true, including WebAuthn registration records, are being accepted for step-up authentication without proper user permission validation.

Since the vulnerability allows an attacker with a valid Account API bearer token to create and verify WebAuthn registration records, monitoring API calls that create or verify such records can help detect exploitation attempts.

Suggested commands or approaches include:

  • Review logs for API requests that create or verify WebAuthn registration records, especially those including the logto-verification-id header.
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze traffic for suspicious Account API bearer token usage combined with WebAuthn registration verification.
  • Query your Logto database or audit logs for active verification records with isVerified === true that are of type WebAuthn registration or MFA binding.
  • If you have access to the system, inspect the koa-oidc-auth middleware logs or enable debug logging to verify which verification record types are accepted during step-up authentication.
Mitigation Strategies

The primary mitigation step is to upgrade Logto to version 1.41.0 or later, where the vulnerability is fixed by restricting the Account Center step-up verification process to only accept specific verification record types intended for user permission validation.

This update prevents WebAuthn registration or MFA binding verification records from being used to bypass MFA step-up authentication.

Additional immediate steps include:

  • Revoke or invalidate any suspicious active verification records, especially WebAuthn registration records created without proper user validation.
  • Audit and monitor user sessions and API tokens for unusual activity related to MFA factor management.
  • Implement stricter access controls and logging around the Account API bearer tokens to prevent hijacking.
  • If upgrading immediately is not possible, consider applying any available patches or configuration changes that restrict verification record acceptance as described in the fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55377. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart