CVE-2026-42280
Analyzed Analyzed - Analysis Complete
Auth0.js Access Token Information Exposure via Invalid ID Token

Publication date: 2026-05-27

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-04
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42280
EUVD
EUVD-2026-32533
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
auth0 auth0.js From 8.11.0 (inc) to 10.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Auth0.js SDK may improperly expose user profile information under specific conditions, which can lead to unauthorized disclosure of personal data.

Such unauthorized exposure of user data could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information.

To mitigate this risk and maintain compliance, affected users should upgrade to Auth0.js SDK version 10.0.0 or higher, where the vulnerability is fixed.

Executive Summary

This vulnerability exists in the Auth0.js client-side JavaScript library versions from 8.11.0 to 9.32.0. Under certain specific conditions, the SDK may improperly return user profile information when provided with a valid access token alongside a specially crafted invalid ID token. This means that the library could expose user profile data incorrectly due to the way it handles token validation.

The issue is fixed in version 10.0.0 of Auth0.js.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of user profile information. An attacker who can provide a valid access token and a specially crafted invalid ID token may be able to retrieve sensitive user data that should not be accessible. This can compromise user privacy and potentially lead to further security issues.

The CVSS score of 7.1 indicates a high severity impact on confidentiality, with low attack complexity and no user interaction required.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Auth0.js library to version 10.0.0 or later, where the issue is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42280. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart