logo

Database

Authentication mechanism absence or evasion In @auth0/nextjs-auth0

Description

Auth0 Next.js SDK has Improper Proxy Cache Lookup

Description

In affected versions of the Next.js SDK, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results.

Which Projects are Affected?

Users are affected if they meet all of the following preconditions:

    Applications using the auth0/nextjs-auth0 SDK, versions 4.12.0 to 4.17.0, and

    Applications using the proxy handler /me/* and /my-org/* with DPoP enabled.

Affected product and versions

Auth0/nextjs-auth0 v4.12.0 to 4.17.0

Resolution

Upgrade Auth0/nextjs-auth0 version to v4.18.0 or greater

Acknowledgements

Okta would like to thank Reynaldo Immanuel for their discovery and responsible disclosure.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-401552. NVD-2026-401553. OSV-2026-401554. GHSA-xq8m-7c5p-c2r65. GCVE-2026-40155

References

1. https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r62. https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b999783. https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.