← Voltar para CVEs
CVE-2026-40155
MEDIUM5.4
Descricao
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0.
Detalhes CVE
Pontuacao CVSS v3.15.4
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeHIGH
Privilegios necessariosLOW
Interacao do usuarioREQUIRED
Publicado4/17/2026
Ultima modificacao4/20/2026
Fontenvd
Avistamentos honeypot0
Fraquezas (CWE)
CWE-362CWE-863
Referencias
https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978(security-advisories@github.com)
https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0(security-advisories@github.com)
https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.