Untriaged
Permalink
CVE-2026-55370
6.4 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
Logto: TOTP code can be replayed within the RFC 6238 validity window (one-time use violation)
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window = 1 and did not persist or compare the accepted TOTP time-step counter. An attacker who has the victim's first factor and captures a live TOTP value can replay that value to satisfy MFA during the same acceptance window. This issue is fixed in version 1.41.0.
References
-
https://github.com/logto-io/logto/security/advisories/GHSA-6wj7-c66m-6c82 x_refsource_CONFIRM
-
https://github.com/logto-io/logto/pull/9109 x_refsource_MISC
-
https://github.com/logto-io/logto/releases/tag/v1.41.0 x_refsource_MISC
Affected products
logto
- ==< 1.41.0
Package maintainers
-
@starcraft66 Tristan Gosselin-Hane <starcraft66@gmail.com>