CVE-2026-55789
Logto’s self-hosted SAML IdP (prior to v1.41.0) was vulnerable: it built signed SAML responses by substituting user-controlled profile attributes into an unescaped XML template, allowing an authenticated low-privilege user to forge a SAML attribute (e.g., role) and cause privilege escalation at r...