What is CVE-2026-40155?

CVE-2026-40155 is a medium-severity vulnerability in Auth0 Nextjs-auth0, classified under Incorrect Authorization. CVSS score: 5.4/10. Published 2026-04-17.

How severe is CVE-2026-40155?

Medium severity. CVSS v3 base score is 5.4 out of 10.

Auth bypass in Auth0 Nextjs-auth0

CVE-2026-40155

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper look…

Vulnerability class: Broken Access Control

EPSS: 0.000 (6.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N.

Affected products

Auth0 Nextjs-auth0 — versions >= 4.12.0, < 4.18.0

Weakness classification (CWE)

References

https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6 (x_refsource_CONFIRM)
https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978 (x_refsource_MISC)
https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-40155?: CVE-2026-40155 is a medium-severity vulnerability in Auth0 Nextjs-auth0, classified under Incorrect Authorization. CVSS score: 5.4/10. Published 2026-04-17.
How severe is CVE-2026-40155?: Medium severity. CVSS v3 base score is 5.4 out of 10.