CVE-2026-42280
EUVD-2026-3253327.05.2026, 15:16
Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| auth0 | auth0.js | 8.11.0 ≤ 𝑥 < 10.0.0 |
𝑥
= Vulnerable software versions