Auth0 Next.js SDK has Improper Proxy Cache Lookup_CVE-2026-40155

5.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0.

Basic Information

ID CVE-2026-40155

Source GitHub_M

Published Apr 17, 2026 at 20:54

Affected Product

Vendor auth0

Product nextjs-auth0

Version >= 4.12.0, < 4.18.0

Affected Versions auth0 nextjs-auth0 >= 4.12.0, < 4.18.0

CWE Classification

CWE-863 CWE-362

References

{
    "lastseen": "",
    "description": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0.",
    "published": "2026-04-17T20:54:38.958Z",
    "modified": "2026-04-17T20:54:38.958Z",
    "type": "cve",
    "title": "Auth0 Next.js SDK has Improper Proxy Cache Lookup",
    "source": "GitHub_M",
    "references": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6\nhttps://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978\nhttps://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0",
    "id": "CVE-2026-40155",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863",
        "CWE-362"
    ],
    "cvelist": null,
    "sourceData": "auth0 nextjs-auth0 >= 4.12.0, < 4.18.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "nextjs-auth0",
    "version": ">= 4.12.0, < 4.18.0",
    "vendor": "auth0",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}