CVE-2026-42280: CWE-863: Incorrect Authorization in auth0 auth0.js
Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.
AI Analysis
Technical Summary
Auth0.js versions from 8.11.0 to 9.32.0 contain an authorization flaw where, under specific preconditions, the SDK may return user profile data despite receiving an invalid ID token if a valid access token is also provided. This improper authorization can lead to unauthorized disclosure of user profile information. The issue is tracked as CWE-863 (Incorrect Authorization) and has a CVSS 3.1 base score of 7.1, indicating high severity. The vulnerability was publicly disclosed with no vendor advisory explicitly stating remediation details, but it is fixed in Auth0.js version 10.0.0.
Potential Impact
The vulnerability allows an attacker who can provide a valid access token and a crafted invalid ID token to potentially access user profile information improperly. This leads to a confidentiality breach of user data. There is no indication of impact on integrity or availability. No known exploits have been reported in the wild.
Mitigation Recommendations
Upgrade Auth0.js to version 10.0.0 or later, where this vulnerability is fixed. Since no official vendor advisory or patch link is provided, verify the upgrade path with Auth0's official resources. Patch status is not explicitly confirmed beyond the fix in version 10.0.0, so check vendor advisories for the latest remediation guidance.
CVE-2026-42280: CWE-863: Incorrect Authorization in auth0 auth0.js
Description
Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.
CVSS v3.1
Score 7.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Auth0.js versions from 8.11.0 to 9.32.0 contain an authorization flaw where, under specific preconditions, the SDK may return user profile data despite receiving an invalid ID token if a valid access token is also provided. This improper authorization can lead to unauthorized disclosure of user profile information. The issue is tracked as CWE-863 (Incorrect Authorization) and has a CVSS 3.1 base score of 7.1, indicating high severity. The vulnerability was publicly disclosed with no vendor advisory explicitly stating remediation details, but it is fixed in Auth0.js version 10.0.0.
Potential Impact
The vulnerability allows an attacker who can provide a valid access token and a crafted invalid ID token to potentially access user profile information improperly. This leads to a confidentiality breach of user data. There is no indication of impact on integrity or availability. No known exploits have been reported in the wild.
Mitigation Recommendations
Upgrade Auth0.js to version 10.0.0 or later, where this vulnerability is fixed. Since no official vendor advisory or patch link is provided, verify the upgrade path with Auth0's official resources. Patch status is not explicitly confirmed beyond the fix in version 10.0.0, so check vendor advisories for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T11:53:27.717Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a170b54e29bf47b50c905f9
Added to database: 5/27/2026, 3:18:44 PM
Last enriched: 5/27/2026, 8:08:43 PM
Last updated: 5/29/2026, 4:51:30 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.