VYPR
High severity7.1GHSA Advisory· Published May 27, 2026· Updated Jun 4, 2026

CVE-2026-42280

CVE-2026-42280

Description

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
auth0-jsnpm
>= 8.11.0, < 10.0.010.0.0

Affected products

3
  • Auth0/Auth0.jsGHSA2 versions
    >= 8.11.0, <= 9.32.0+ 1 more
    • (no CPE)range: >= 8.11.0, <= 9.32.0
    • cpe:2.3:a:auth0:auth0.js:*:*:*:*:*:node.js:*:*range: >=8.11.0,<10.0.0
  • ghsa-coords
    Range: >= 8.11.0, < 10.0.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.