{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40155", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T19:31:56.013Z", "datePublished": "2026-04-17T20:54:38.958Z", "dateUpdated": "2026-04-20T14:57:32.023Z"}, "containers": {"cna": {"title": "Auth0 Next.js SDK has Improper Proxy Cache Lookup", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6"}, {"name": "https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978", "tags": ["x_refsource_MISC"], "url": "https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978"}, {"name": "https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0"}], "affected": [{"vendor": "auth0", "product": "nextjs-auth0", "versions": [{"version": ">= 4.12.0, < 4.18.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:54:38.958Z"}, "descriptions": [{"lang": "en", "value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0."}], "source": {"advisory": "GHSA-xq8m-7c5p-c2r6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:51:32.552302Z", "id": "CVE-2026-40155", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:57:32.023Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40155", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:51:32.552302Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:51:34.467Z"}}], "cna": {"title": "Auth0 Next.js SDK has Improper Proxy Cache Lookup", "source": {"advisory": "GHSA-xq8m-7c5p-c2r6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "auth0", "product": "nextjs-auth0", "versions": [{"status": "affected", "version": ">= 4.12.0, < 4.18.0"}]}], "references": [{"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6", "name": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978", "name": "https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0", "name": "https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:54:38.958Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40155", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:57:32.023Z", "dateReserved": "2026-04-09T19:31:56.013Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T20:54:38.958Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:auth0:nextjs-auth0:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E4891D31-9552-4FA5-8972-28570BE322FD", "versionEndExcluding": "4.18.0", "versionStartIncluding": "4.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0."}], "id": "CVE-2026-40155", "lastModified": "2026-04-27T19:41:13.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T21:16:33.713", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.12.0,4.18.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nextjs-auth0", "source": "cna", "vendor": "auth0"}, "product": "nextjs-auth0", "vendor": "auth0"}], "analysis": {"en": {"generated_at": "2026-04-18T17:06:17.472469+00:00", "value": {"mitigation_remediation": ["Upgrade Auth0 Next.js SDK to version 4.18.0 or later to eliminate the race condition in the proxy cache fetcher.", "Reconfigure or disable DPoP for the /me/* and /my-org/* routes if those features are not required, or ensure that any DPoP usage does not involve simultaneous nonce retries.", "Implement rate limiting on authentication endpoints to reduce the likelihood of concurrent nonce retries that trigger the race condition."], "summary": {"action": "Apply Patch", "impact": "Potential unauthorized authentication via improper token lookup"}, "threat_synthesis": {"affected_systems": "The issue exists in Auth0 Next.js SDK versions 4.12.0 through 4.17.1. Applications must be using the SDK together with the proxy handler routes /me/* and /my-org/* with DPoP enabled to be vulnerable. Affected systems are any Next.js web applications that depend on the vulnerable Auth0 SDK. The bug has been addressed in SDK release 4.18.0, so upgrading beyond that version removes the risk.", "description_and_impact": "This vulnerability is a race condition in the Auth0 Next.js SDK\u2019s proxy cache fetcher; concurrent requests that retry a nonce can trigger an improper cache lookup, causing the SDK to retrieve the wrong token result. The flaw is a concurrency error (CWE\u2011362) combined with misused cache logic (CWE\u2011863). Although the CVE does not describe a remote code execution, the broken authentication flow can expose or reuse authentication tokens and lead to unauthorized access or data leakage. The integrity of user sessions may be fully compromised if an attacker can obtain a valid token.", "risk_and_exploitability": "The CVSS base score is 5.4, reflecting a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, so the probability of exploitation is unclear. The attack vector appears to be local within the application: an attacker can trigger the race condition by issuing simultaneous nonce\u2011retry requests or by logging in multiple times in quick succession when the proxy handler and DPoP are enabled. Because the flaw requires specific routing and configuration, the exploitability is limited to deployments that match the described pattern but still poses a meaningful risk if such deployments are commonly used."}}}}, "created": "2026-04-17T22:30:29.501240+00:00", "updated": "2026-04-18T17:15:05.779699+00:00", "vendors": ["auth0", "auth0$PRODUCT$nextjs-auth0"]}