How is CVE-2026-42280 exploited?

Network reachability (required): The vulnerable SDK endpoint is exposed over the network, so an attacker must be able to reach the service remotely to deliver the crafted token payload. Authentication (required): The attacker must hold a valid access token, meaning at minimum a low-privilege account credential is necessary to trigger the flaw. Victim interaction (not-required): No action from another user or victim is needed; the attacker submits the crafted request entirely on their own. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, specific memory layouts, or other environmental dependencies beyond meeting the preconditions described in the advisory.

What is the impact of CVE-2026-42280?

Reads user profile information belonging to accounts other than the attacker's own, including any fields the SDK returns from the Auth0 user profile endpoint. Modifies the effective identity context seen by the application in a limited way, as the integrity impact is rated low, which may allow privilege boundary confusion within the session. Does not disrupt service availability; the confidentiality exposure is the primary harm. In applications that trust SDK-returned profile data to make authorization decisions, the attacker may gain access to resources or UI sections scoped to the impersonated user profile.

Back to search

HIGHCVE-2026-42280Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-42280: Improper Permission Checking in Auth.js SDK

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An improper permission-checking vulnerability exists in the Auth0.js client-side JavaScript SDK (versions 8.11.0 through 9.32.0). The flaw is reachable over the network by any authenticated user with a low-privilege account, and requires no interaction from a victim. Under specific preconditions, an attacker can supply a crafted invalid ID token alongside a valid access token to cause the SDK to return user profile information it should not expose. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-42280 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the auth0.js library. Any image containing an affected version (8.11.0 through 9.32.0) is flagged automatically during both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 7.1 (HIGH) and applies per-environment compliance policy weighting to determine urgency and escalation path. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers ship a resolved release. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention once that fix lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable SDK endpoint is exposed over the network, so an attacker must be able to reach the service remotely to deliver the crafted token payload.
AuthenticationRequired
The attacker must hold a valid access token, meaning at minimum a low-privilege account credential is necessary to trigger the flaw.
Victim interactionNot required
No action from another user or victim is needed; the attacker submits the crafted request entirely on their own.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, specific memory layouts, or other environmental dependencies beyond meeting the preconditions described in the advisory.

Blast Radius

Reads user profile information belonging to accounts other than the attacker's own, including any fields the SDK returns from the Auth0 user profile endpoint.
Modifies the effective identity context seen by the application in a limited way, as the integrity impact is rated low, which may allow privilege boundary confusion within the session.
Does not disrupt service availability; the confidentiality exposure is the primary harm.
In applications that trust SDK-returned profile data to make authorization decisions, the attacker may gain access to resources or UI sections scoped to the impersonated user profile.

How HarborGuard Handles This

Available on HarborGuard: because no patched version of auth0.js has been published, the current focus is detection and compensating controls. Any image found to contain auth0.js 8.11.0 through 9.32.0 is flagged immediately on scan. While waiting for an upstream fix, customers can apply network-policy controls to restrict which services can invoke the affected SDK endpoints, enforce strict server-side validation of ID tokens independent of the client-side library, and use feature-flag gating to disable flows that depend on SDK-level profile resolution. HarborGuard re-evaluates the advisory on every ingest cycle; the moment the upstream maintainers publish a fix, a patched-image rebuild becomes available, and for customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically.

See how HarborGuard automates this

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

auth0 / auth0.js
>= 8.11.0 , <= 9.32.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References

https://github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832