Description
Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.
Published: 2026-05-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logical flaw in the Auth0.js client‑side SDK causes it to return user profile information when a valid access token is supplied alongside a specially crafted invalid ID token. The bug exists in releases from 8.11.0 up through 9.32.0 and is classified as an access‑control logic error (CWE‑863). If exploited, an attacker could learn sensitive profile data without proper authorization.

Affected Systems

The Auth0 JavaScript authentication library (auth0.js) is vulnerable in versions 8.11.0 through 9.32.0. Systems running these versions of the SDK are susceptible to the vulnerability unless they have migrated to later releases.

Risk and Exploitability

The CVSS score is 7.1, indicating a high risk level. No EPSS value is published, and the issue is not listed in CISA’s KEV catalog. Given the client‑side nature of the library, attackers would need to influence the ID token presented in a browser context; once done, the SDK’s improper permission check can expose confidential user profiles. The absence of a publicly documented exploit suggests the vulnerability is not widely leveraged yet, but the severity score warrants prompt remediation.

Generated by OpenCVE AI on May 27, 2026 at 19:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Auth0.js library to version 10.0.0 or later.
  • Audit your application to ensure that no older auth0.js versions (8.11.0‑9.32.0) remain bundled or referenced.
  • If upgrading is not immediately possible, enforce strict server‑side validation of ID tokens and avoid relying on client‑side logic to retrieve user profiles.

Generated by OpenCVE AI on May 27, 2026 at 19:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8qjv-jj2q-x832 Auth.js SDK has Improper Permission Checking
History

Thu, 04 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:auth0:auth0.js:*:*:*:*:*:node.js:*:*

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Auth0
Auth0 auth0.js
Vendors & Products Auth0
Auth0 auth0.js

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.
Title Improper Permission Checking in Auth.js SDK
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Auth0 Auth0.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T15:36:56.102Z

Reserved: 2026-04-26T11:53:27.717Z

Link: CVE-2026-42280

cve-icon Vulnrichment

Updated: 2026-05-28T15:36:51.445Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T15:16:27.753

Modified: 2026-06-04T17:02:15.363

Link: CVE-2026-42280

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:30:06Z

Weaknesses