MFA Replay Vulnerability in Logto Authentication Infrastructure
CVE-2026-55370
6.4MEDIUM
What is CVE-2026-55370?
Logto's authentication infrastructure, used for SaaS and AI applications, had a vulnerability that allowed an attacker to replay a Time-based One-Time Password (TOTP) during the acceptance window. Due to the implementation using otplib's stateless check, validated TOTP codes remained accepted without persisting or comparing the time-step counter, enabling potential replay if an attacker managed to capture the victim's TOTP value. This critical security issue has been resolved in version 1.41.0.
Affected Version(s)
logto < 1.41.0
