CVE-2026-34236CRITICAL 9.8EPSS p12.4%

CVE-2026-34236CVE-2026-34236

Description

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.22% probability of exploitation · percentile 12.4% · 2026-06-19T12:03:05Z
Published2026-04-01
Last modified2026-04-07

Underlying weaknesses· 1

CWE-331

References

  1. https://github.com/auth0/auth0-PHP/releases/tag/8.19.0
  2. https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7

1

TypeTargetConfidenceTier
WeaknessInsufficient Entropycwe-3310%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-47275
CVE
CVE-2026-42280
CVE
CVE-2026-39324
CVE
CVE-2026-25861
CVE
CVE-2026-49443
CVE
CVE-2026-31940
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.