Skip to main content

Auth0.js SDK CVE-2026-42280

| EUVDEUVD-2026-32533 HIGH
Incorrect Authorization (CWE-863)
2026-05-06 https://github.com/auth0/auth0.js GHSA-8qjv-jj2q-x832
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 06, 2026 - 17:45 vuln.today
Analysis Generated
May 06, 2026 - 17:45 vuln.today

DescriptionGitHub Advisory

Description

Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided.

Am I Affected?

Users are affected if they meet each of the following preconditions:

  • Applications built using Auth0.js version between 8.11.0 and 9.32.0
  • The application’s access control relies on rules defined in Auth0 Actions.

Affected product and versions

auth0.js SDK v8.11.0 to v9.32.0

Resolution

Upgrade auth0/auth0.js to v10.0.0 or greater.

Acknowledgements

Okta would like to thank Quan Le (@aleister1102) for their discovery and responsible disclosure.

AnalysisAI

Token validation flaw in Auth0.js SDK versions 8.11.0 through 9.32.0 allows authenticated attackers to retrieve user profile information by submitting a valid access token alongside a crafted invalid ID token, bypassing access control rules defined in Auth0 Actions. The vulnerability affects applications that depend on Auth0 Actions for authorization decisions, potentially exposing sensitive user profile data to attackers holding valid but insufficiently privileged access tokens. Vendor-released patch available in version 10.0.0, discovered through coordinated disclosure by security researcher Quan Le.

Technical ContextAI

Auth0.js is a client-side JavaScript SDK for integrating Auth0 authentication and authorization services into web applications. This vulnerability stems from improper permission checking (CWE-863) in the SDK's token validation logic. When an application uses Auth0 Actions to define access control policies, the SDK should verify both access tokens and ID tokens before releasing user profile information. However, versions 8.11.0 through 9.32.0 contain a flaw where the SDK improperly trusts a valid access token even when paired with a maliciously crafted invalid ID token, bypassing the intended authorization checks. This affects the npm package auth0-js (pkg:npm/auth0-js), which handles OAuth 2.0 and OpenID Connect flows on the client side. The vulnerability exists in the interaction between token validation routines and the Auth0 Actions authorization framework, allowing attackers to manipulate the token validation sequence to access profile data they should not be authorized to view.

RemediationAI

Upgrade auth0-js to version 10.0.0 or later, which contains the vendor-released fix for the token validation flaw. The exact fixed version is confirmed by GitHub advisory GHSA-8qjv-jj2q-x832 at https://github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832. For npm-based projects, update package.json to specify auth0-js version 10.0.0 or higher and run npm update or npm install. If immediate upgrade is not feasible, implement compensating server-side authorization checks that do not rely solely on Auth0.js client-side token validation - specifically, enforce access control rules on the backend API layer independent of client-provided tokens, validating both access and ID tokens server-side before releasing user profile information. Note that this workaround adds latency to profile retrieval operations and requires backend API modifications, but prevents exploitation by ensuring authorization decisions occur in a trusted environment. Do not rely on client-side Auth0 Actions enforcement alone for sensitive authorization decisions during the vulnerable period.

Share

CVE-2026-42280 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy