Primary

Context

Auth0.js Improper Permission Checking Vulnerability Allowing Unauthorized User Profile Access

Vulnerability

Patched

A vulnerability exists in the Auth0.js SDK, specifically in versions 8.11.0 prior to 9.32.0. Under certain conditions, the SDK may incorrectly disclose user profile information by using a valid access token in conjunction with a specially crafted invalid ID token. This issue arises in applications that depend on access control rules defined in Auth0 Actions.

Impact

Exploitation of this vulnerability could lead to unauthorized access to user profile information.

Remediation

Users can upgrade to Auth0.js version 10.0.0 or later to address this vulnerability.

Added: May 28, 2026, 4:56 AM

Updated: May 28, 2026, 4:56 AM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

0.6

exploitability

3.3

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

0.6

exploitability

3.3

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Auth0.js Improper Permission Checking Vulnerability Allowing Unauthorized User Profile Access

Vulnerability

Impact

Remediation

Affected Products

Auth0.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating