CVE-2026-42280: Auth.js SDK has Improper Permission Checking

May 6, 2026

Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided.

References

github.com/advisories/GHSA-8qjv-jj2q-x832
github.com/auth0/auth0.js
github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832
nvd.nist.gov/vuln/detail/CVE-2026-42280

Code Behaviors & Features

Detect and mitigate CVE-2026-42280 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →