Insufficient Entropy in Cookie Encryption in Auth0 PHP SDK
CVE-2026-34236

8.2HIGH

Key Information:

Vendor: Auth0
Status: Auth0-PHP
Vendor: CVE Published:; 1 April 2026

What is CVE-2026-34236?

The Auth0 PHP SDK, utilized for authentication and management APIs, has a significant vulnerability in the way it encrypts cookies. In versions ranging from 8.0.0 to just before 8.19.0, the SDK applies insufficient entropy during cookie encryption. This flaw enables attackers to potentially brute-force the encryption key, leading to the possibility of forging session cookies. This critical issue has been addressed in version 8.19.0, emphasizing the necessity for developers to update to this version to protect their applications against unauthorized access.

Affected Version(s)

auth0-PHP >= 8.0.0, < 8.19.0

References

https://github.com/auth0/auth0-PHP/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/auth0/auth0-PHP/releases/tag/8.19.0

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 26, 2026

CVE-2026-34236 Data

JSON