CVE
CVE-2026-34236
Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption
Impact
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
Am I Affected?
Consumers are affected if their application meets the following preconditions:
- Their application is using the Auth0-PHP SDK, versions between 8.0.0 and 8.18.0
- Their application is using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK:
- Auth0/symfony,
- Auth0/laravel0-auth0, or
- Auth0/wordpress
Resolution
Upgrade Auth0/Auth0-PHP to version 8.19.0 or greater.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.2
-
3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
C
H
U
-
Related Resources
No items found.
References
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7, https://nvd.nist.gov/vuln/detail/CVE-2026-34236, https://github.com/auth0/auth0-PHP, https://github.com/auth0/auth0-PHP/releases/tag/8.19.0
Basic Information
Ecosystem
