SAML Vulnerability in Logto Auth Infrastructure by Logto
CVE-2026-54714

6.1MEDIUM

Key Information:

Vendor

Logto-io

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-54714?

The Logto auth infrastructure prior to version 1.41.0 has a vulnerability that allows for the injection of arbitrary scripts through improper handling of the SAML RelayState, SAMLResponse, and actionUrl parameters. When a crafted RelayState is passed during the SAML application flow, it can lead to the execution of scripts on the Logto tenant origin after user login. This issue highlights the need for strict input validation and proper encoding to mitigate potential cross-site scripting (XSS) attacks.

Affected Version(s)

logto < 1.41.0

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.