A medium severity vulnerability affecting auth0/symfony versions >= 5.0.0-BETA0, <= 5.8.0, identified as CVE-2026-50157 with a CVSS score of 6.5, exists in Auth0 Symfony SDK applications that utilize the Authorizer security authenticator to protect HTTP routes. This flaw allows OAuth 2.0 bearer access tokens to be accepted through both the standard Authorization header and a URL query parameter, thereby increasing the risk of access token exposure and replay against protected API endpoints. The vulnerability is related to CWE-200 and CWE-598, can be exploited via network attack vector with low complexity requiring low privileges and no user interaction, and poses a high confidentiality risk due to potential unauthorized data access.
We recommend you to update Auth0 Symfony SDK to version 5.9.0 or greater.[/subscribe_to_unlock_form]
A medium severity vulnerability affecting auth0/symfony versions >= 5.0.0-BETA0, <= 5.8.0, identified as CVE-2026-50157 with a CVSS score of 6.5, exists in Auth0 Symfony SDK applications that utilize the Authorizer security authenticator to protect HTTP routes. This flaw allows OAuth 2.0 bearer access tokens to be accepted through both the standard Authorization header and a URL query parameter, thereby increasing the risk of access token exposure and replay against protected API endpoints. The vulnerability is related to CWE-200 and CWE-598, can be exploited via network attack vector with low complexity requiring low privileges and no user interaction, and poses a high confidentiality risk due to potential unauthorized data access.
We recommend you to update Auth0 Symfony SDK to version 5.9.0 or greater.[emaillocker id="1283"]
The following reports contain further technical details:
[/emaillocker]