High severity7.1GHSA Advisory· Published May 27, 2026· Updated Jun 4, 2026
CVE-2026-42280
CVE-2026-42280
Description
Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
auth0-jsnpm | >= 8.11.0, < 10.0.0 | 10.0.0 |
Affected products
3Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-8qjv-jj2q-x832ghsaADVISORY
- github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42280ghsaADVISORY
News mentions
0No linked articles in our index yet.