CVE-2026-34236 HIGH

CVE-2026-34236: Auth0 PHP SDK Insufficient Entropy in Cookie Encryption

Vendor Auth0

Product auth0-PHP

Weakness CWE-331

Published April 1, 2026

Last update April 1, 2026

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

Description

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.

Key dates

Disclosure timeline

April 1, 2026 CVE published

April 1, 2026 Record updated