CVE-2026-42280

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.

high 7.1 CVSS 3.1
Published: May 27, 2026
Modified: Jun 4, 2026
Vendor: Auth0
Product: Auth0.Js

Description

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.

References

Related CVEs

CVE-2025-68129 medium · 6.8
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly.