ByteOS Network

NVD Vulnerability Details :

CVE-2026-34236

Analyzed

Source-security-advisories@github.com

Published At-01 Apr, 2026 | 18:16

Updated At-07 Apr, 2026 | 20:20

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	8.2	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Primary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 8.2

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Type: Primary

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CPE Matches

auth0>>auth0-php>>Versions from 8.0.0(inclusive) to 8.19.0(exclusive)

cpe:2.3:a:auth0:auth0-php:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-331	Primary	security-advisories@github.com

CWE ID: CWE-331

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/auth0/auth0-PHP/releases/tag/8.19.0	security-advisories@github.com	Product Release Notes
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7	security-advisories@github.com	Vendor Advisory

Hyperlink: https://github.com/auth0/auth0-PHP/releases/tag/8.19.0

Source: security-advisories@github.com

Resource:

Product

Release Notes

Hyperlink: https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7

Source: security-advisories@github.com

Resource:

Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History