How to fix CVE-2026-34236?

Within 24 hours: inventory all applications and services using Auth0 PHP SDK and document current versions in use. Within 7 days: upgrade to Auth0 PHP SDK version 8.19.0 or later across all production and non-production environments. Within 30 days: conduct authentication audit to identify any suspicious session activity during the vulnerability exposure window and validate that no unauthorized cookies were generated.

Is PHP affected by CVE-2026-34236?

Auth0 PHP SDK versions 8.0.0 through 8.18.x contain weak cookie encryption that allows authenticated network attackers to brute-force session keys and forge authentication tokens, potentially bypassing access controls across multiple applications relying on the SDK.

CVE-2026-34236

EUVD-2026-17979 HIGH

2026-04-01 GitHub_M

GHSA-w3wc-44p4-m4j7

8.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch Released

Apr 02, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 01, 2026 - 17:30 euvd

EUVD-2026-17979

Analysis Generated

Apr 01, 2026 - 17:30 vuln.today

CVE Published

Apr 01, 2026 - 17:04 nvd

HIGH 8.2

Description

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.

Analysis

Insufficient entropy in cookie encryption within Auth0 PHP SDK versions 8.0.0 through 8.18.x enables brute-force attacks against session cookie encryption keys, potentially allowing authenticated threat actors with network access to forge arbitrary session cookies and bypass authentication controls. Vendor-released patch available in version 8.19.0. …

Remediation

Within 24 hours: inventory all applications and services using Auth0 PHP SDK and document current versions in use. Within 7 days: upgrade to Auth0 PHP SDK version 8.19.0 or later across all production and non-production environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +41

POC: 0

CVE-2026-34236 vulnerability details – vuln.today

Back

CVE-2026-34236

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-34236

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code