High severity8.2NVD Advisory· Published Apr 1, 2026· Updated Apr 7, 2026

CVE-2026-34236

Description

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
auth0/auth0-phpPackagist	>= 8.0.0, < 8.19.0	8.19.0

Affected products

Auth0/Auth0 Php
cpe:2.3:a:auth0:auth0-php:*:*:*:*:*:*:*:*
Range: >=8.0.0,<8.19.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-w3wc-44p4-m4j7ghsaADVISORY
github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-34236ghsaADVISORY
github.com/auth0/auth0-PHP/releases/tag/8.19.0nvdProductRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.533
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000