๐Ÿ” CVE Alert

CVE-2026-55377

HIGH 8.1

Logto: Account Center MFA management step-up bypass via WebAuthn registration verification

CVSS Score
8.1
EPSS Score
0.3%
EPSS Percentile
17th

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new passkey could be created and verified with only an existing Account API bearer token, then sent in the logto-verification-id header and treated as identityVerified=true by Account Center routes, allowing MFA factor management without proving possession of an existing password, identifier, or MFA factor. This issue is fixed in version 1.41.0.

CWE CWE-287
Vendor logto-io
Product logto
Published Jul 10, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for logto-io logto

Be the first to know when new high vulnerabilities affecting logto-io logto are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

logto-io / logto
< 1.41.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/logto-io/logto/security/advisories/GHSA-q4h3-38gc-4p4j github.com: https://github.com/logto-io/logto/pull/9110 github.com: https://github.com/logto-io/logto/commit/f56255a7edf3b22b0ec2fdb814814ce6b0123b74 github.com: https://github.com/logto-io/logto/releases/tag/v1.41.0