MFA Replay Vulnerability in Logto Authentication Infrastructure
CVE-2026-55370

6.4MEDIUM

Key Information:

Vendor

Logto-io

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55370?

Logto's authentication infrastructure, used for SaaS and AI applications, had a vulnerability that allowed an attacker to replay a Time-based One-Time Password (TOTP) during the acceptance window. Due to the implementation using otplib's stateless check, validated TOTP codes remained accepted without persisting or comparing the time-step counter, enabling potential replay if an attacker managed to capture the victim's TOTP value. This critical security issue has been resolved in version 1.41.0.

Affected Version(s)

logto < 1.41.0

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.