CVE-2026-34236

High

Published: 01 April 2026

Published

01 April 2026

Modified

07 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0001 2.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34236 is a high-severity Insufficient Entropy (CWE-331) vulnerability in Auth0 Auth0-Php. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Cookies (T1606.001); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Web Cookies (T1606.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation, directly addressing the insufficient entropy vulnerability in Auth0-PHP SDK by mandating upgrades to version 8.19.0 or later.

SC-12 Cryptographic Key Establishment and Management good match

prevent

Mandates cryptographic key establishment with sufficient entropy, preventing brute-forcing of the weak encryption keys used for session cookies in the vulnerable SDK.

SC-23 Session Authenticity good match

prevent

Ensures mechanisms protect the authenticity of communications sessions, mitigating the risk of forging session cookies due to weak encryption.

MITRE ATT&CK Enterprise TechniquesAI

T1606.001 Web Cookies Credential Access

Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.

attack.mitre.org →

Why these techniques?

Vulnerability in cookie encryption (insufficient entropy) directly enables brute-forcing the key to forge session cookies.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the…

encryption key and forging session cookies. This issue has been patched in version 8.19.0.

Deeper analysisAI

CVE-2026-34236 affects the Auth0-PHP SDK, a PHP library for integrating with Auth0 Authentication and Management APIs. In versions 8.0.0 through 8.18.x, the SDK encrypts cookies using insufficient entropy, enabling attackers to brute-force the encryption key and forge session cookies. This flaw, classified under CWE-331 (Insufficient Entropy), carries a CVSS v3.1 base score of 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N), indicating high severity due to its potential for confidentiality and integrity impacts.

An attacker with low privileges, such as an authenticated user on the network-accessible application (AV:N), can exploit this vulnerability despite its high attack complexity (AC:H). No user interaction is required (UI:N), and successful exploitation changes scope (S:C), allowing the forging of session cookies to achieve high confidentiality and integrity impacts (C:H/I:H), such as impersonating users or accessing sensitive data without affecting availability (A:N).

The Auth0-PHP maintainers addressed this issue in version 8.19.0, as detailed in the release notes and security advisory. Security practitioners should upgrade affected applications to 8.19.0 or later to mitigate the risk of key brute-forcing and session forgery.