Skip to main content

Nextjs Auth0 CVE-2026-40155

| EUVDEUVD-2026-23537 MEDIUM
Incorrect Authorization (CWE-863)
2026-04-17 GitHub_M GHSA-xq8m-7c5p-c2r6
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 19:41 nvd
Patch available
Patch available
Apr 17, 2026 - 22:16 EUVD
Analysis Generated
Apr 17, 2026 - 21:37 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 21:15 euvd
EUVD-2026-23537
Analysis Generated
Apr 17, 2026 - 21:15 vuln.today
CVE Published
Apr 17, 2026 - 20:54 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0.

AnalysisAI

Authentication bypass in Auth0 Next.js SDK versions 4.12.0 through 4.17.1 allows authenticated users with UI interaction to access sensitive endpoints through improper proxy cache lookups during concurrent nonce retry operations. The vulnerability specifically affects deployments using the proxy handler with DPoP (Demonstration of Proof-of-Possession) enabled, potentially exposing confidential user information via /me/* and /my-org/* endpoints. Vendor-released patch: version 4.18.0.

Technical ContextAI

The Auth0 Next.js SDK provides authentication abstraction for Next.js applications, interfacing with Auth0's identity platform. The vulnerability exists in the proxy cache fetcher component responsible for handling token request results and nonce management during the OAuth/OIDC flow. When simultaneous requests trigger nonce retries (a mechanism to refresh or revalidate authentication tokens), the cache lookup mechanism performs improper key matching or state isolation, causing one user's cached authentication context to be misattributed to another concurrent request. The DPoP (Demonstration of Proof-of-Possession) mechanism, an OAuth extension for binding tokens to specific client instances, amplifies this issue by adding an additional layer of request-specific binding that the cache fetcher fails to properly respect during concurrent access. CWE-863 (Incorrect Authorization) indicates the root cause is flawed authorization decision logic, specifically the failure to properly isolate or validate session/user context during cache operations.

RemediationAI

Immediately upgrade to Auth0 Next.js SDK version 4.18.0 or later, which includes the corrected proxy cache fetcher logic that properly isolates concurrent requests and respects DPoP token binding. The fix is available at https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0. For organizations unable to upgrade immediately, disable the DPoP feature in Auth0 configuration (if business logic permits) or restrict concurrent session access via load balancer/reverse proxy rate limiting on /me/* and /my-org/* endpoints to reduce collision probability; however, these workarounds do not address the root cache isolation defect and should be considered temporary only. The fix commit 98c36dc306970c2230ea1a32efef431d29b99978 is available for review and contains specific changes to cache key generation and user context isolation during nonce retry operations.

Share

CVE-2026-40155 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy