PT-2026-60084 · Packagist · Auth0/Symfony
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-50157
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Description
Applications built with the Auth0 Symphony SDK, using the Authorizer security authenticator to protect HTTP routes may accept OAuth 2.0 bearer access tokens provided through a URL query parameter, in addition to the standard Authorization header, which may increase the risk of access token exposure and replay against protected API endpoints.
Resolution
Upgrade auth0/symfony to version 5.9.0 or greater.
Acknowledgement
Okta would like to thank Alex Yeara for their discovery.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Auth0/Symfony