PT-2026-33516 · Auth0 · Auth0 Next.Js Sdk

Reynaldo Immanuel

Published

2026-04-17

Updated

2026-04-28

CVE-2026-40155

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions Auth0 Next.js SDK versions 4.12.0 through 4.17.1

Description Simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for token request results. This occurs when projects use the proxy handlers ''/me/'' and ''/my-org/'' with DPoP (Demonstrating Proof-of-Possession, a mechanism that binds a token to a private key) enabled.

Recommendations Update to version 4.18.0.

Fix

Race Condition

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362CWE-863

Related Identifiers

CVE-2026-40155

GHSA-XQ8M-7C5P-C2R6

Affected Products

Auth0 Next.Js Sdk

PT-2026-33516 · Auth0 · Auth0 Next.Js Sdk

CVE-2026-40155

Weakness Enumeration

Related Identifiers

Affected Products

References · 9