CVE-2026-42280

HIGH NVD

CVSS Score 7.1

Severity HIGH

Published May 27, 2026

Vendor unknown

Description

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.

References

https://github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832