What is CVE-2026-34236?

CVE-2026-34236 is a high-severity vulnerability in Auth0 Auth0-php, classified under Insufficient Entropy. CVSS score: 8.2/10. Published 2026-04-01.

How severe is CVE-2026-34236?

High severity. CVSS v3 base score is 8.2 out of 10.

Vulnerability in Auth0 Auth0-php

CVE-2026-34236

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat act…

EPSS: 0.000 (2.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.2 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N.

Affected products

Auth0 Auth0-php — versions >= 8.0.0, < 8.19.0

Weakness classification (CWE)

CWE-331 — Insufficient Entropy

References

https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7 (x_refsource_CONFIRM)
https://github.com/auth0/auth0-PHP/releases/tag/8.19.0 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-34236?: CVE-2026-34236 is a high-severity vulnerability in Auth0 Auth0-php, classified under Insufficient Entropy. CVSS score: 8.2/10. Published 2026-04-01.
How severe is CVE-2026-34236?: High severity. CVSS v3 base score is 8.2 out of 10.