CVE-2026-34236
Insufficient Entropy in Auth0-PHP Cookies Enables Session Forgery
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| auth0 | auth0-php | From 8.0.0 (inc) to 8.19.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-331 | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade the Auth0 PHP SDK to version 8.19.0 or later, where the issue of insufficient entropy in cookie encryption has been fixed.
Additionally, ensure that your PHP environment is updated to at least PHP 8.2, as PHP 8.1 support has been dropped in the fixed release.
Can you explain this vulnerability to me?
The vulnerability in Auth0-PHP SDK versions 8.0.0 to 8.18.0 involves cookies being encrypted with insufficient entropy. This means the encryption key used for securing cookies is weak and can be brute-forced by attackers. As a result, threat actors can forge session cookies, compromising session integrity.
How can this vulnerability impact me? :
This vulnerability can allow attackers to brute-force the encryption key used for cookies, enabling them to forge session cookies. This compromises the confidentiality and integrity of user sessions, potentially allowing unauthorized access to sensitive data and user accounts. The attack requires network access, low privileges, and no user interaction, but has high attack complexity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Auth0-PHP SDK versions 8.0.0 to 8.18.0 involves insufficient entropy in cookie encryption, which allows attackers to brute-force encryption keys and forge session cookies. This leads to high confidentiality and integrity impacts, meaning unauthorized access to sensitive data and modification of session information is possible.
Such unauthorized access and data integrity compromise can negatively affect compliance with data protection standards and regulations like GDPR and HIPAA, which require strong protection of personal and sensitive information to prevent data breaches and unauthorized disclosures.
Therefore, organizations using vulnerable versions of the Auth0 PHP SDK may face increased risk of non-compliance with these regulations until they upgrade to version 8.19.0 or later, where the issue is fixed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects Auth0 PHP SDK versions from 8.0.0 up to 8.18.0, where cookies are encrypted with insufficient entropy. Detection involves identifying if your system is running a vulnerable version of the Auth0 PHP SDK.
To detect this vulnerability on your system, you should check the installed version of the Auth0 PHP SDK. If the version is between 8.0.0 and 8.18.0 inclusive, your system is vulnerable.
Suggested commands to check the installed version of the Auth0 PHP SDK in your project:
- If using Composer, run: composer show auth0/auth0-php | grep versions
- Alternatively, check your composer.lock file for the auth0/auth0-php package version.
Network detection of exploitation attempts would be difficult because the attack involves brute forcing encryption keys on cookies, which is a cryptographic weakness rather than a network signature. Monitoring for unusual authentication or session anomalies might help but no specific network commands or signatures are provided.