Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's self-hosted SAML application IdP built the signed SAML response and assertion by string-substituting user-controlled profile attributes such as name, email, and custom attribute-mapping values into element-text placeholders of a SAML XML template using samlify 2.10.0, which left those placeholders unescaped. An authenticated low-privilege user could place XML markup in a profile attribute so Logto signed a forged SAML attribute, such as an arbitrary role, allowing privilege escalation at relying Service Providers that authorize on SAML attributes. This issue is fixed in version 1.41.0.
CVE-2026-55789
This high-severity CVE scores 8.5 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.5
- EG Score
- 8.5(low)
- EPSS
- —
- KEV
- Not listed
Published
July 10, 2026
Last Modified
July 10, 2026
Advisory Details (4)
Auto-updated Jul 10, 2026SAML IdP injects user-controlled profile attributes raw into signed assertions, allowing privilege escalation at relying Service Providers · Advisory · logto-io/logto · GitHub
https://github.com/logto-io/logto/security/advisories/GHSA-vfpw-vq44-4p63v1.41.0
Patch available: logto-io/logto v1.41.0
https://github.com/logto-io/logto/releases/tag/v1.41.0fix(core): upgrade samlify to ^2.13.0
Patch available: logto-io/logto v1.41.0 (PR #9107 merged 2026-06-30)
https://github.com/logto-io/logto/pull/9107commit 9097054860f0 (logto-io/logto)
Patch available: logto-io/logto v1.41.0 (contains commit 9097054860f0)
https://github.com/logto-io/logto/commit/9097054860f0d638d90778d3dcde2ba050b844b6Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 4× in last 7d / 4× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 21:12 UTCEG score recompute
- 2026-07-11 08:38 UTCEG score recompute
- 2026-07-10 20:04 UTCEG score recompute
- 2026-07-10 20:02 UTCMITRE cvelistV5first tracked
Frequently asked(4)
What is CVE-2026-55789?
When was CVE-2026-55789 disclosed?
What is the CVSS score of CVE-2026-55789?
How do I remediate CVE-2026-55789?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-55789
Is Your Infrastructure Affected by CVE-2026-55789?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.