PT-2026-60084 · Packagist · Auth0/Symfony

Publicado

2026-07-14

·

Atualizado

2026-07-14

·

CVE-2026-50157

CVSS v3.1

6.5

Média

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

Applications built with the Auth0 Symphony SDK, using the Authorizer security authenticator to protect HTTP routes may accept OAuth 2.0 bearer access tokens provided through a URL query parameter, in addition to the standard Authorization header, which may increase the risk of access token exposure and replay against protected API endpoints.

Resolution

Upgrade auth0/symfony to version 5.9.0 or greater.

Acknowledgement

Okta would like to thank Alex Yeara for their discovery.

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-50157
GHSA-FFQ7-HH2J-R24P

Produtos afetados

Auth0/Symfony