Threat Advisory

Auth0 Symfony SDK Accepts Bearer Tokens via URL Query Parameter

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Medium
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A medium severity vulnerability affecting auth0/symfony versions >= 5.0.0-BETA0, <= 5.8.0, identified as CVE-2026-50157 with a CVSS score of 6.5, exists in Auth0 Symfony SDK applications that utilize the Authorizer security authenticator to protect HTTP routes. This flaw allows OAuth 2.0 bearer access tokens to be accepted through both the standard Authorization header and a URL query parameter, thereby increasing the risk of access token exposure and replay against protected API endpoints. The vulnerability is related to CWE-200 and CWE-598, can be exploited via network attack vector with low complexity requiring low privileges and no user interaction, and poses a high confidentiality risk due to potential unauthorized data access.

RECOMMENDATION:

We recommend you to update Auth0 Symfony SDK to version 5.9.0 or greater.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A medium severity vulnerability affecting auth0/symfony versions >= 5.0.0-BETA0, <= 5.8.0, identified as CVE-2026-50157 with a CVSS score of 6.5, exists in Auth0 Symfony SDK applications that utilize the Authorizer security authenticator to protect HTTP routes. This flaw allows OAuth 2.0 bearer access tokens to be accepted through both the standard Authorization header and a URL query parameter, thereby increasing the risk of access token exposure and replay against protected API endpoints. The vulnerability is related to CWE-200 and CWE-598, can be exploited via network attack vector with low complexity requiring low privileges and no user interaction, and poses a high confidentiality risk due to potential unauthorized data access.

RECOMMENDATION:

We recommend you to update Auth0 Symfony SDK to version 5.9.0 or greater.[emaillocker id="1283"]

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu