CVE-2026-40155 MEDIUM

CVE-2026-40155: Auth0 Next.js SDK has Improper Proxy Cache Lookup

Vendor Auth0

Product nextjs-auth0

Weakness CWE-863 · Incorrect authorization

Published April 17, 2026

Last update April 20, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0.

Key dates

02Disclosure timeline

April 17, 2026 CVE published

April 20, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-40155

Related vulnerabilities

CVE-2026-40155: Auth0 Next.js SDK has Improper Proxy Cache Lookup

01Description

02Disclosure timeline

03References

04Related CVE