EXECUTIVE SUMMARY:
CVE-2026-42280 with a CVSS score of 7.1 is a vulnerability in the Auth0 .js SDK that allows an attacker to obtain unauthorized user profile information using a valid access token. The issue affects the auth0-js package, specifically versions 8.11.0 through 9.32.0, and is triggered when a specifically crafted invalid ID token is provided to the SDK. An attacker can exploit this vulnerability by sending a carefully constructed ID token to the application, which relies on rules defined in Auth0 Actions, allowing them to gain unauthorized access to user profile information. This capability allows an attacker to gain sensitive information about users, which can be used for various malicious purposes, including identity theft and targeted attacks. If exploited, this vulnerability can have significant business impact, particularly for organizations that rely on Auth0.js for authentication and access control, potentially resulting in data breaches and loss of customer trust. To exploit this vulnerability, an attacker requires access to the application's authentication flow and the ability to manipulate the ID token provided to the SDK.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-42280 with a CVSS score of 7.1 is a vulnerability in the Auth0 .js SDK that allows an attacker to obtain unauthorized user profile information using a valid access token. The issue affects the auth0-js package, specifically versions 8.11.0 through 9.32.0, and is triggered when a specifically crafted invalid ID token is provided to the SDK. An attacker can exploit this vulnerability by sending a carefully constructed ID token to the application, which relies on rules defined in Auth0 Actions, allowing them to gain unauthorized access to user profile information. This capability allows an attacker to gain sensitive information about users, which can be used for various malicious purposes, including identity theft and targeted attacks. If exploited, this vulnerability can have significant business impact, particularly for organizations that rely on Auth0.js for authentication and access control, potentially resulting in data breaches and loss of customer trust. To exploit this vulnerability, an attacker requires access to the application's authentication flow and the ability to manipulate the ID token provided to the SDK.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update auth0 .js to v10.0.0 or greater.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-8qjv-jj2q-x832