GHSA-xq8m-7c5p-c2r6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xq8m-7c5p-c2r6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xq8m-7c5p-c2r6/GHSA-xq8m-7c5p-c2r6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xq8m-7c5p-c2r6
- Aliases
-
- CVE-2026-40155
- Published
- 2026-04-21T15:21:46Z
- Modified
- 2026-04-21T15:41:19.524282Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N CVSS Calculator
- Summary
- Auth0 Next.js SDK has Improper Proxy Cache Lookup
- Details
-
Description
In affected versions of the Next.js SDK, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results.
Which Projects are Affected?
Users are affected if they meet all of the following preconditions: - Applications using the auth0/nextjs-auth0 SDK, versions 4.12.0 to 4.17.0, and - Applications using the proxy handler /me/* and /my-org/* with DPoP enabled.
Affected product and versions
Auth0/nextjs-auth0 v4.12.0 to 4.17.0
Resolution
Upgrade Auth0/nextjs-auth0 version to v4.18.0 or greater
Acknowledgements
Okta would like to thank Reynaldo Immanuel for their discovery and responsible disclosure.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-04-21T15:21:46Z", "cwe_ids": [ "CWE-362", "CWE-863" ], "severity": "MODERATE", "nvd_published_at": "2026-04-17T21:16:33Z" }- References
-
- https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6
- https://nvd.nist.gov/vuln/detail/CVE-2026-40155
- https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978
- https://github.com/auth0/nextjs-auth0
- https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0
Affected packages
npm / @auth0/nextjs-auth0
Package
- Name
- @auth0/nextjs-auth0
- View open source insights on deps.dev
- Purl
- pkg:npm/%40auth0/nextjs-auth0