Description
Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided.
Recommendation
Update the auth0-js package to the latest compatible version. Followings are version details:
- Affected version(s): >= 8.11.0, <= 9.32.0
- Patched version(s): 10.0.0
References
Related Issues
- Auth0 Next.js SDK has Improper Proxy Cache Lookup - CVE-2026-40155
- payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments) - CVE-2026-25574
- Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing - CVE-2026-1664
- Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation - CVE-2026-45013
You might also like:
- Tags:
- npm
- auth0-js
Anything's wrong? Let us know Last updated on May 06, 2026