CVE-2026-34236
HIGHAuth0 PHP SDK Insufficient Entropy in Cookie Encryption
Title source: cnaDescription
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7
X_Refsource_Misc x_refsource_misc
https://github.com/auth0/auth0-PHP/releases/tag/8.19.0
Scores
CVSS v3
8.2
EPSS
0.0022
EPSS Percentile
12.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-331
Status
published
Products (3)
auth0/auth0-php
8.0.0 - 8.19.0Packagist
auth0/auth0-php
8.0.0 - 8.19.0
auth0/auth0-PHP
>= 8.0.0, < 8.19.0
Published
Apr 01, 2026
Tracked Since
Apr 01, 2026