Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
Auth0 Laravel SDK Cookie Encryption is Not Secure
GHSA-fmg6-246m-9g2v
Summary
If you use the Auth0 Laravel SDK, you may be at risk of attackers guessing your user session cookies. This is because the encryption used is not strong enough. To fix this, update the Auth0 Laravel SDK to version 7.21.0 or later.
What to do
- Update auth0 auth0/login to version 7.21.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| auth0 | auth0/login | > 7.0.0 , <= 7.21.0 | 7.21.0 |
Original title
Auth0 laravel-auth0 SDK has Insufficient Entropy in Cookie Encryption
Original description
### Impact
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
### Am I Affected?
You are affected if you meet the following preconditions:
- Applications using laravel-auth0 SDK, versions between 7.0.0 and 7.20.0
- Laravel-auth0 SDK using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.
### Resolution
Upgrade Auth0/laravel-auth0 to version 7.21.0 or greater.
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
### Am I Affected?
You are affected if you meet the following preconditions:
- Applications using laravel-auth0 SDK, versions between 7.0.0 and 7.20.0
- Laravel-auth0 SDK using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.
### Resolution
Upgrade Auth0/laravel-auth0 to version 7.21.0 or greater.
osv CVSS3.1
8.2
Vulnerability type
CWE-331
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026