Home / Vulnerability Intelligence / CVE-2026-34236

CVE-2026-34236 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: April 1, 2026

Auth0 PHP SDK - Authentication Bypass

Published: April 1, 2026Updated: April 1, 2026Remote Exploitable

Overview

Auth0 PHP SDK >= 8.0.0 and < 8.19.0 contains a broken authentication caused by insufficient entropy in cookie encryption, letting attackers brute-force encryption keys and forge session cookies, exploit requires no special privileges.

Severity & Score

Severity: High

CVSS Score: 8.2

Impact

Attackers can forge session cookies, potentially leading to unauthorized access and impersonation of users.

Mitigation

Upgrade to version 8.19.0 or later.

References

https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7
https://github.com/auth0/auth0-PHP/releases/tag/8.19.0

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-34236
Severity: High
CVSS Score: 8.2
Type: broken_authentication
Status: new

CWE

CWE-331

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N