CVE-2026-34236 — HIGH (8.2)

Q: How severe is CVE-2026-34236?

CVE-2026-34236 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-34236?

Check the references section above for vendor advisories and patch information. Affected products include: Auth0 Auth0-Php.

Vulnerability Description

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.

CVSS Score

8.2

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Auth0	Auth0-Php	>= 8.0.0, < 8.19.0

Related Weaknesses (CWE)

CWE-331

References

https://github.com/auth0/auth0-PHP/releases/tag/8.19.0ProductRelease Notes
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7Vendor Advisory

FAQ

What is CVE-2026-34236?

CVE-2026-34236 is a vulnerability with a CVSS score of 8.2 (HIGH). Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient ...

How severe is CVE-2026-34236?

CVE-2026-34236 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-34236?

Check the references section above for vendor advisories and patch information. Affected products include: Auth0 Auth0-Php.