CVE-2026-55789
Received Received - Intake

SAML Attribute Injection in Logto Prior to 1.41.0

Vulnerability report for CVE-2026-55789, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's self-hosted SAML application IdP built the signed SAML response and assertion by string-substituting user-controlled profile attributes such as name, email, and custom attribute-mapping values into element-text placeholders of a SAML XML template using samlify 2.10.0, which left those placeholders unescaped. An authenticated low-privilege user could place XML markup in a profile attribute so Logto signed a forged SAML attribute, such as an arbitrary role, allowing privilege escalation at relying Service Providers that authorize on SAML attributes. This issue is fixed in version 1.41.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
logto logto 1.41.0
samalify samalify 2.10.0
logto logto to 1.41.0 (exc)
samlify samlify to 2.13.0 (exc)
samlify samlify 2.13.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-91 The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55789 is a vulnerability in Logto's self-hosted SAML Identity Provider (IdP) where user-controlled profile attributes such as name or email are inserted without proper XML escaping into signed SAML assertions. This allows an authenticated low-privilege user to inject malicious XML markup into these attributes, forging new SAML attributes like an arbitrary role.

Because the forged attributes are included within the signed SAML response, relying Service Providers that validate the IdP's signature accept these forged attributes as legitimate, enabling privilege escalation.

The root cause is that the samlify library version 2.10.0 used by Logto only escapes user input when placed in attribute positions but not when placed in element-text positions within the SAML XML template.

This issue was fixed by upgrading samlify to version 2.13.0, which properly escapes element-text placeholders, and by adding regression tests to ensure XML escaping of attribute values.

Compliance Impact

The vulnerability in CVE-2026-55789 allows an authenticated low-privilege user to escalate privileges by injecting malicious XML markup into signed SAML assertions. This can lead to unauthorized access to sensitive information or elevated permissions at relying Service Providers.

Such unauthorized privilege escalation and potential exposure of sensitive user attributes could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal data.

Specifically, the inability to prevent forged SAML attributes undermines the integrity and confidentiality of authentication and authorization processes, which are critical for regulatory compliance.

Impact Analysis

This vulnerability can allow an authenticated low-privilege user to escalate their privileges by injecting forged SAML attributes, such as an arbitrary role like "admin", into the signed SAML assertion.

Since relying Service Providers trust the signed assertions from Logto's IdP, the attacker can gain unauthorized access or elevated permissions on those services.

This can lead to unauthorized access to sensitive data, administrative functions, or other protected resources within applications that rely on Logto's SAML authentication.

Detection Guidance

This vulnerability involves an authenticated low-privilege user injecting malicious XML markup into their profile attributes, which are then included unescaped in signed SAML assertions. Detection involves monitoring SAML assertions for unexpected or forged attributes, such as unauthorized role attributes.

To detect exploitation attempts, you can capture and inspect SAML responses from your Logto IdP for suspicious XML content within element-text placeholders, especially looking for injected XML tags like additional <saml:Attribute> elements.

Suggested commands include using network capture tools like tcpdump or Wireshark to capture SAML responses, then using XML parsing or searching tools to find suspicious attribute values.

  • Capture SAML response traffic on the network (e.g., tcpdump -i eth0 -w saml_capture.pcap port 443)
  • Extract SAML responses from captures and decode base64 if needed.
  • Search for suspicious XML markup in SAML assertions, for example using grep or xmllint:
  • grep -Pzo '<saml:AttributeValue>.*</saml:AttributeValue>.*<saml:Attribute Name="role">' saml_response.xml
  • Use XML validation tools to check for malformed or unexpected elements in SAML assertions.

Additionally, review user profile attributes for suspicious content that includes XML markup, as the vulnerability requires an attacker to set crafted profile attribute values.

Mitigation Strategies

The primary mitigation is to upgrade Logto to version 1.41.0 or later, which includes an updated samlify library (version 2.13.0) that properly escapes XML element-text placeholders in SAML assertions.

If upgrading immediately is not possible, consider implementing additional XML escaping on user-controlled profile attributes before they are substituted into the SAML XML template to prevent injection.

Also, review and restrict the ability of low-privilege users to modify profile attributes that are included in SAML assertions, especially those that could be used to escalate privileges.

Finally, apply regression tests or validation checks to ensure that generated SAML assertions do not contain unexpected XML elements or markup injected via user attributes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55789. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart