CVE-2026-40155
Received Received - Intake
Token Request Cache Poisoning in Auth0 Next.js SDK (v

Publication date: 2026-04-17

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40155
EUVD
EUVD-2026-23537
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
auth0 nextjs-auth0 From 4.12.0 (inc) to 4.18.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Auth0 Next.js SDK versions 4.12.0 through 4.17.1. It occurs when simultaneous requests trigger a nonce retry, causing the proxy cache fetcher to perform improper lookups for token request results. This affects projects using these vulnerable versions along with the proxy handler paths /me/* and /my-org/* when DPoP (Demonstration of Proof-of-Possession) is enabled.

The issue has been resolved in version 4.18.0 of the SDK.

Impact Analysis

The vulnerability can lead to improper token request lookups during simultaneous requests, which may result in incorrect or unauthorized token handling. This could potentially allow an attacker to gain access to sensitive user authentication tokens or cause authentication failures.

The CVSS base score of 5.4 indicates a medium severity impact, with high confidentiality impact, low integrity impact, and no availability impact.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Auth0 Next.js SDK to version 4.18.0 or later, where the issue has been fixed.

Additionally, if your project uses the proxy handler /me/* and /my-org/* with DPoP enabled, ensure these configurations are reviewed and tested after the upgrade.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart