CVE-2026-55789

logto-io · logto

Logto is vulnerable to XML/Blind XPath injection and dependency-related security flaws, requiring an update to version 1.41.0 to address these risks.

Executive summary

Logto is affected by XML/Blind XPath injection and third-party dependency vulnerabilities, which could lead to unauthorized data access or integrity compromise if left unpatched.

Vulnerability

This vulnerability involves XML/Blind XPath Injection (CWE-91) and issues related to vulnerable third-party dependencies (CWE-1395). Exploitation requires an authenticated user with sufficient privileges to interact with the vulnerable components.

Business impact

The presence of injection flaws in an authentication infrastructure product like Logto is critical. Successful exploitation could result in unauthorized data disclosure, manipulation of authentication logic, or total compromise of the identity management system, justifying the high CVSS score of 8.5.

Remediation

Immediate Action: Upgrade the Logto installation to version 1.41.0 or later to patch the identified injection flaws and update insecure dependencies.

Proactive Monitoring: Monitor authentication logs for unusual behavior or attempts to access unauthorized data structures, which may indicate an attempt to leverage the injection vulnerability.

Compensating Controls: Ensure that the application environment follows the principle of least privilege and that database or backend services are isolated from the web interface to limit the scope of potential injection attacks.

Exploitation status

Public Exploit Available: false

Analyst recommendation

As this software handles identity and authentication, any vulnerability within its core logic is of significant concern. Organizations must prioritize the upgrade to version 1.41.0 to ensure the integrity of their authentication infrastructure.