SAML Vulnerability in Logto Auth Infrastructure by Logto
CVE-2026-54714
6.1MEDIUM
What is CVE-2026-54714?
The Logto auth infrastructure prior to version 1.41.0 has a vulnerability that allows for the injection of arbitrary scripts through improper handling of the SAML RelayState, SAMLResponse, and actionUrl parameters. When a crafted RelayState is passed during the SAML application flow, it can lead to the execution of scripts on the Logto tenant origin after user login. This issue highlights the need for strict input validation and proper encoding to mitigate potential cross-site scripting (XSS) attacks.
Affected Version(s)
logto < 1.41.0
