What the vulnerability does
01Description
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue.
Explanation of Vulnerability in Simple Terms
02Summary
Auth0's PHP SDK versions 8.0.0 through 8.17.x contain an authorization flaw that allows authenticated users to access or modify resources they should not have permission to use. The vulnerability requires low-level privileges and network access but no user interaction. Confidentiality and integrity of protected resources are at risk.
What an attacker can do
03Attacker Capabilities
Read or modify resources belonging to other users or applications within the Auth0 tenant.
Potential impact on your site
04Site Impact
Users' data and application settings may be exposed to or modified by other authenticated users in the same Auth0 tenant.
Conditions required to exploit
05Prerequisites
Attacker must have a valid Auth0 account with low-level privileges and network access to the application.
Key dates
06Disclosure timeline
December 17, 2025
CVE published
December 18, 2025
Record updated
