HIGH🇬🇧 English

CVE-2026-34236

CVSS 8.2v3.1pub. 2026-04-01upd. 2026-04-07

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
  • Auth0 PHP

    APP
    Auth0
    8.0.0 – 8.19.0 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2025-68129MEDIUM6.8ten sam produkt

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP ...

CVE-2020-7947CRITICAL9.8ten sam vendor

An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that c...

CVE-2019-7644CRITICAL9.8ten sam vendor

Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot s...

CVE-2015-9235CRITICAL9.8ten sam vendor

In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token di...

CVE-2018-6873CRITICAL9.8ten sam vendor

The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not...