{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34236", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T16:22:29.034Z", "datePublished": "2026-04-01T17:04:53.378Z", "dateUpdated": "2026-04-01T17:59:59.001Z"}, "containers": {"cna": {"title": "Auth0 PHP SDK Insufficient Entropy in Cookie Encryption", "problemTypes": [{"descriptions": [{"cweId": "CWE-331", "lang": "en", "description": "CWE-331: Insufficient Entropy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7"}, {"name": "https://github.com/auth0/auth0-PHP/releases/tag/8.19.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/auth0/auth0-PHP/releases/tag/8.19.0"}], "affected": [{"vendor": "auth0", "product": "auth0-PHP", "versions": [{"version": ">= 8.0.0, < 8.19.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T17:04:53.378Z"}, "descriptions": [{"lang": "en", "value": "Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0."}], "source": {"advisory": "GHSA-w3wc-44p4-m4j7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T17:59:49.583107Z", "id": "CVE-2026-34236", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T17:59:59.001Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34236", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T16:22:29.034Z", "datePublished": "2026-04-01T17:04:53.378Z", "dateUpdated": "2026-04-01T17:59:59.001Z"}, "containers": {"cna": {"title": "Auth0 PHP SDK Insufficient Entropy in Cookie Encryption", "problemTypes": [{"descriptions": [{"cweId": "CWE-331", "lang": "en", "description": "CWE-331: Insufficient Entropy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7"}, {"name": "https://github.com/auth0/auth0-PHP/releases/tag/8.19.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/auth0/auth0-PHP/releases/tag/8.19.0"}], "affected": [{"vendor": "auth0", "product": "auth0-PHP", "versions": [{"version": ">= 8.0.0, < 8.19.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T17:04:53.378Z"}, "descriptions": [{"lang": "en", "value": "Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0."}], "source": {"advisory": "GHSA-w3wc-44p4-m4j7", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34236", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T17:59:49.583107Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T17:59:53.927Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0."}], "id": "CVE-2026-34236", "lastModified": "2026-04-01T18:16:30.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T18:16:30.007", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/auth0/auth0-PHP/releases/tag/8.19.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-331"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.19.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "auth0-PHP", "source": "cna", "vendor": "auth0"}, "product": "auth0-php", "vendor": "auth0"}], "analysis": {"en": {"generated_at": "2026-04-02T04:34:27.323320+00:00", "value": {"mitigation_remediation": ["Upgrade the Auth0 PHP SDK to version 8.19.0 or later.", "Verify that your deployment is using a recent SDK version and that any old dependencies have been removed."], "summary": {"action": "Patch Now", "impact": "Session Hijacking"}, "threat_synthesis": {"affected_systems": "Applications built with the Auth0 PHP SDK from version 8.0.0 up to, but not including, 8.19.0 are affected. The issue is specific to the Auth0 PHP SDK sold by Auth0 and does not impact other Auth0 components or products.", "description_and_impact": "The Auth0 PHP SDK encrypts session cookies with an encryption key that has insufficient entropy. This weakness allows an attacker to brute\u2011force the key and forge valid cookies, enabling unauthorized access to the application\u2019s authenticated sessions. The flaw is a classic example of weak cryptographic key generation and is classified as a CWE\u2011331 vulnerability.", "risk_and_exploitability": "The CVSS score of 8.2 indicates a high risk, and while the EPSS score is unavailable, the lack of listing in the CISA KEV catalog suggests no publicly known exploits yet. However, the flaw could be abused remotely over the network by forging session cookies, which requires only the ability to send HTTP requests to the target application. The vulnerability is thus exploitable from anywhere the application is reachable."}}}}, "created": "2026-04-02T07:48:12.085134+00:00", "updated": "2026-04-02T20:17:08.721582+00:00", "vendors": ["auth0", "auth0$PRODUCT$auth0-php"]}