Auth.js SDK has Improper Permission Checking

GHSA-8qjv-jj2q-x832 · CVE-2026-42280

Published May 6, 2026 · Modified Jun 8, 2026

Description

Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided.

Am I Affected?

Users are affected if they meet each of the following preconditions:

Applications built using Auth0.js version between 8.11.0 and 9.32.0
The application’s access control relies on rules defined in Auth0 Actions.

Affected product and versions

auth0.js SDK v8.11.0 to v9.32.0

Resolution

Upgrade auth0/auth0.js to v10.0.0 or greater.

Acknowledgements

Okta would like to thank Quan Le (@aleister1102) for their discovery and responsible disclosure.

References

WEB https://github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-42280
PACKAGE https://github.com/auth0/auth0.js

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes