GHSA-w3wc-44p4-m4j7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w3wc-44p4-m4j7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w3wc-44p4-m4j7/GHSA-w3wc-44p4-m4j7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w3wc-44p4-m4j7
- Aliases
-
- CVE-2026-34236
- Published
- 2026-04-01T20:29:26Z
- Modified
- 2026-04-01T20:46:37.903303Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption
- Details
-
Impact
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
Am I Affected?
Consumers are affected if their application meets the following preconditions: - Their application is using the Auth0-PHP SDK, versions between 8.0.0 and 8.18.0 - Their application is using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: - Auth0/symfony, - Auth0/laravel0-auth0, or - Auth0/wordpress
Resolution
Upgrade Auth0/Auth0-PHP to version 8.19.0 or greater.
- Database specific
{ "cwe_ids": [ "CWE-331" ], "github_reviewed": true, "github_reviewed_at": "2026-04-01T20:29:26Z", "nvd_published_at": "2026-04-01T18:16:30Z", "severity": "HIGH" }- References
Affected packages
Packagist / auth0/auth0-php
Package
- Name
- auth0/auth0-php
- Purl
- pkg:composer/auth0/auth0-php