CVE-2026-40155
Auth0 Next.js SDK has Improper Proxy Cache Lookup
CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0.
| CWE | CWE-863 CWE-362 |
| Vendor | auth0 |
| Product | nextjs-auth0 |
| Published | Apr 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for auth0 nextjs-auth0
Be the first to know when new medium vulnerabilities affecting auth0 nextjs-auth0 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Affected Versions
auth0 / nextjs-auth0
>= 4.12.0, < 4.18.0