CVE-2026-42280
Auth.js SDK has Improper Permission Checking
Description
### Description Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. ### Am I Affected? Users are affected if they meet each of the following preconditions: - Applications built using Auth0.js version between 8.11.0 and 9.32.0 - The application’s access control relies on rules defined in Auth0 Actions. ### Affected product and versions auth0.js SDK v8.11.0 to v9.32.0 ### Resolution Upgrade auth0/auth0.js to v10.0.0 or greater. ### Acknowledgements Okta would like to thank Quan Le (@aleister1102) for their discovery and responsible disclosure.
How to fix CVE-2026-42280
To remediate CVE-2026-42280, upgrade the affected package to a fixed version below.
- —upgrade to 10.0.0 or later
Is CVE-2026-42280 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 8.11.0, < 10.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |