Authjs SDK, Improper Permission Checking, High severity

By /

Listen to this Post

The vulnerability exists in the token validation flow of the Auth0.js SDK. Under normal operations, when an application receives an ID token, the SDK validates its signature, claims, and structure before accepting it. However, in versions 8.11.0 to 9.32.0, a logic flaw occurs when the SDK processes a specifically crafted invalid ID token while the attacker already possesses a valid access token for a target user. The SDK attempts to parse the malformed ID token but improperly falls back to using the valid access token’s associated user profile. Instead of rejecting the entire request or returning an error, the SDK incorrectly returns the full user profile information belonging to the valid access token’s subject. The precondition requires that the attacker has a valid access token (e.g., from a previous session) and can supply a malformed ID token that passes basic parsing checks but fails full validation. The SDK’s error handling logic then skips permission verification and leaks the profile. This bypasses authorization checks and allows an attacker to retrieve another user’s personal identifiable information without the correct ID token.
Platform: Auth0.js SDK
Version: 8.11.0–9.32.0
Vulnerability: Improper permission checking
Severity: High severity
date: May 6 2026

Prediction: Patch date May 6 2026

What Undercode Say:

Check vulnerable version:

npm list auth0-js
grep -E '"version": "(8.1[1-9]|9.[0-3][0-9]?)' package-lock.json

Vulnerable code snippet:

// Auth0.js prior to v10.0.0
function getUserProfile(accessToken, idToken) {
try {
validateIdToken(idToken);
} catch (err) {
// Improper fallback: uses access token without verifying idToken
return fetchProfile(accessToken);
}
}

Exploit:

  1. Obtain a valid access token for any user (e.g., via legitimate login).
  2. Construct an invalid ID token (e.g., with malformed signature or claims).

3. Call `auth0.client.userInfo(accessToken, invalidIdToken)`.

  1. SDK erroneously returns the profile information of the access token’s owner.
  2. Repeat with different access tokens to enumerate user data.

Protection from this CVE

  • Upgrade to auth0/auth0.js version 10.0.0 or later.
  • Validate ID tokens server‑side before trusting any user data.
  • Implement additional logging for token validation failures.
  • Reject requests where the ID token does not match the access token’s subject.

Impact

An attacker with a valid access token can retrieve another user’s profile information (email, name, metadata) without possessing their ID token. This leads to unauthorized data exposure, privacy breach, and potential further attacks using the leaked information.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top