CVE-2026-34236

EPSS 0.22%
Veröffentlicht 01.04.2026 17:04:53
Zuletzt bearbeitet 07.04.2026 20:20:35
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Auth0 PHP SDK Insufficient Entropy in Cookie Encryption

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Auth0 ≫ Auth0-php Version >= 8.0.0 < 8.19.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.124

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.2	1.8	5.8	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE-331 Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7

Vendor Advisory

https://github.com/auth0/auth0-PHP/releases/tag/8.19.0

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-34236

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34236

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34236

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34236