Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
Auth0 Symfony SDK: Weak Cookie Encryption Allows Session Hijacking
GHSA-ghc5-95c2-vwcv
Summary
If you're using the Auth0 Symfony SDK between 5.0.0 and 5.7.0, an attacker could potentially guess your session cookies, allowing them to access your users' accounts. To fix this, update the Auth0 Symfony SDK to version 5.8.0 or later.
What to do
- Update auth0 symfony to version 5.8.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| auth0 | symfony | > 5.0.0 , <= 5.7.0 | 5.8.0 |
Original title
Auth0 Symfony SDK has Insufficient Entropy in Cookie Encryption
Original description
### Impact
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
### Am I Affected?
Consumers are affected if their application meets the following preconditions:
- It uses the Auth0 Symfony SDK, versions between 5.0.0 and 5.7.0
- Auth0 Symfony SDK using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.
### Resolution
Upgrade Auth0/symfony-auth0 to version 5.8.0 or greater.
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
### Am I Affected?
Consumers are affected if their application meets the following preconditions:
- It uses the Auth0 Symfony SDK, versions between 5.0.0 and 5.7.0
- Auth0 Symfony SDK using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.
### Resolution
Upgrade Auth0/symfony-auth0 to version 5.8.0 or greater.
ghsa CVSS3.1
8.2
Vulnerability type
CWE-331
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026