VulnerableCode Package Details - pkg:composer/auth0/auth0-php@8.18.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-yp9u-s51c-rbfx Aliases: CVE-2026-34236 GHSA-w3wc-44p4-m4j7	Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption ### Impact In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. ### Am I Affected? Consumers are affected if their application meets the following preconditions: - Their application is using the Auth0-PHP SDK, versions between 8.0.0 and 8.18.0 - Their application is using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: - Auth0/symfony, - Auth0/laravel0-auth0, or - Auth0/wordpress ### Resolution Upgrade Auth0/Auth0-PHP to version 8.19.0 or greater.	8.19.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-yp9u-s51c-rbfx
Aliases:
CVE-2026-34236
GHSA-w3wc-44p4-m4j7

Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption ### Impact In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. ### Am I Affected? Consumers are affected if their application meets the following preconditions: - Their application is using the Auth0-PHP SDK, versions between 8.0.0 and 8.18.0 - Their application is using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: - Auth0/symfony, - Auth0/laravel0-auth0, or - Auth0/wordpress ### Resolution Upgrade Auth0/Auth0-PHP to version 8.19.0 or greater.

8.19.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-8dve-yw6d-17gg	Auth0-PHP SDK has Improper Audience Validation In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.	CVE-2025-68129 GHSA-j2vm-wrq3-f7gf

Vulnerability

Summary

Aliases

VCID-8dve-yw6d-17gg

Auth0-PHP SDK has Improper Audience Validation In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.

CVE-2025-68129
GHSA-j2vm-wrq3-f7gf

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-07T20:52:36.747680+00:00	GHSA Importer	Affected by	VCID-yp9u-s51c-rbfx	https://github.com/advisories/GHSA-w3wc-44p4-m4j7	38.6.0
2026-06-06T07:41:47.608545+00:00	GitLab Importer	Affected by	VCID-yp9u-s51c-rbfx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2026-34236.yml	38.6.0
2026-06-05T21:54:15.674342+00:00	GHSA Importer	Fixing	VCID-8dve-yw6d-17gg	https://github.com/advisories/GHSA-j2vm-wrq3-f7gf	38.6.0
2026-06-04T17:09:30.993893+00:00	GithubOSV Importer	Fixing	VCID-8dve-yw6d-17gg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-j2vm-wrq3-f7gf/GHSA-j2vm-wrq3-f7gf.json	38.6.0
2026-06-02T04:49:14.360513+00:00	GitLab Importer	Fixing	VCID-8dve-yw6d-17gg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2025-68129.yml	38.6.0