CVE-2026-42280

Name of the Vulnerable Software and Affected Versions auth0-js versions 8.11.0 through 9.32.0

Description Improper validation in the Auth0.js SDK may allow the return of user profile data when a specifically crafted invalid ID token is used in conjunction with a valid access token. This issue occurs in applications where access control relies on rules defined in Auth0 Actions, potentially leading to unauthorized information disclosure.

Recommendations Update auth0-js to version 10.0.0 or greater.