Primary

Context

Auth0-PHP Insufficient Entropy in Cookie Encryption Vulnerability Allowing Session Forgery

Vulnerability

A vulnerability exists in the Auth0-PHP SDK for Auth0 Authentication and Management APIs, affecting versions 8.0.0 prior to 8.19.0. The issue arises because cookies are encrypted with inadequate entropy, potentially allowing threat actors to brute-force the encryption key and forge session cookies. This vulnerability is also present in applications using the Auth0-PHP SDK's dependent SDKs: Auth0/symfony, Auth0/laravel0-auth0, or Auth0/wordpress.

Impact

Exploitation of this vulnerability could lead to the forging of session cookies, allowing for unauthorized access to user sessions.

Remediation

Users can upgrade to Auth0-PHP version 8.19.0 or later to address this vulnerability.

Added: Apr 1, 2026, 6:39 PM

Updated: Apr 1, 2026, 6:39 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Auth0-PHP Insufficient Entropy in Cookie Encryption Vulnerability Allowing Session Forgery

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating