CVE-2026-42280: Improper Permission Checking in Auth.js SDK

Published May 6, 2026
·
Updated

Description Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided.

Am I Affected? Users are affected if they meet each of the following preconditions: - Applications built using Auth0.js version between 8.11.0 and 9.32.0 - The application’s access control relies on rules defined in Auth0 Actions.

Affected product and versions auth0.js SDK v8.11.0 to v9.32.0

Resolution Upgrade auth0/auth0.js to v10.0.0 or greater.

Acknowledgements Okta would like to thank Quan Le (@aleister1102) for their discovery and responsible disclosure.

Other sources

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.

MITRE

Affected Software

2 affected componentsFixes available
npm/auth0-js>=8.11.0<=9.32.0
10.0.0
Auth0 Auth0.js Node.js>=8.11.0<10.0.0

Event History

May 6, 2026
Advisory Published
via GitHub·05:05 PM
Data Sourced
via GitHub·05:05 PM
DescriptionSeverityWeaknessAffected Software
May 27, 2026
CVE Published
via MITRE·02:39 PM
Data Sourced
via MITRE·02:39 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:16 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-42280?

CVE-2026-42280 is classified as a medium severity vulnerability due to its potential to expose sensitive user profile information.

2

How do I fix CVE-2026-42280?

To fix CVE-2026-42280, update the Auth0.js SDK to version 10.0.0 or later.

3

Who is affected by CVE-2026-42280?

Users are affected by CVE-2026-42280 if they are using Auth0.js SDK versions between 8.11.0 and 9.32.0.

4

What does CVE-2026-42280 allow attackers to do?

CVE-2026-42280 allows attackers to improperly access user profile information using a valid access token with a crafted invalid ID token.

5

Is CVE-2026-42280 present in all Auth0.js SDK versions?

No, CVE-2026-42280 is only present in specific versions of the Auth0.js SDK, namely between 8.11.0 and 9.32.0.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203