Nonce Handling Vulnerability in Auth0 Next.js SDK
CVE-2026-40155

5.4MEDIUM

Key Information:

Vendor

Auth0

Status
Nextjs-auth0
Vendor
CVE Published:
17 April 2026

What is CVE-2026-40155?

The Auth0 Next.js SDK has a vulnerability affecting versions 4.12.0 through 4.17.1, where simultaneous requests that initiate a nonce retry may lead to improper lookups in the proxy cache fetcher for token requests. This issue impacts projects utilizing both the vulnerable versions and the specified proxy handler endpoints with DPoP enabled. Users are advised to upgrade to version 4.18.0, where the problem has been resolved.

Affected Version(s)

nextjs-auth0 >= 4.12.0, < 4.18.0

References

https://github.com/auth0/nextjs-auth0/security/advisories...
x_refsource_CONFIRM
https://github.com/auth0/nextjs-auth0/commit/98c36dc30697...
x_refsource_MISC
https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.