Cyber Resilience

CVE-2026-42280

HighUpdated

Published: 27 May 2026

Published
27 May 2026
Modified
04 June 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0021 11.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42280 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Auth0 Auth0.Js. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Accounts (T1078.004); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability…

more

is fixed in 10.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.004 Cloud Accounts Stealth
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

CWE-863 authz flaw in Auth0 SDK enables improper profile access via valid access tokens + crafted ID tokens, facilitating unauthorized use of cloud accounts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34236Same vendor: Auth0
CVE-2026-32924Shared CWE-863
CVE-2024-44136Shared CWE-863
CVE-2019-25237Shared CWE-863
CVE-2026-35490Shared CWE-863
CVE-2025-14774Shared CWE-863
CVE-2025-59683Shared CWE-863
CVE-2025-41078Shared CWE-863
CVE-2026-42431Shared CWE-863
CVE-2025-30074Shared CWE-863

Affected Assets

auth0
auth0.js
8.11.0 — 10.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-863

Periodic review and update of procedures reduces incorrect authorization implementations over time.

addresses: CWE-863

Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.

addresses: CWE-863

Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.

addresses: CWE-863

The authorization process and usage restrictions help prevent incorrect authorization for remote access types.

addresses: CWE-863

Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.

addresses: CWE-863

Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.

addresses: CWE-863

Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.

addresses: CWE-863

Ensures authorization decisions for external system use are correctly implemented and enforced.

References