GHSA-ffq7-hh2j-r24pMediumCVSS 6.5

Auth0 Symfony SDK Accepted Bearer Tokens via URL Query Parameter

Published
July 14, 2026
Last Modified
July 14, 2026

🔗 CVE IDs covered (1)

📋 Description

Description

Applications built with the Auth0 Symphony SDK, using the Authorizer security authenticator to protect HTTP routes may accept OAuth 2.0 bearer access tokens provided through a URL query parameter, in addition to the standard Authorization header, which may increase the risk of access token exposure and replay against protected API endpoints.

Resolution

Upgrade auth0/symfony to version 5.9.0 or greater.

Acknowledgement

Okta would like to thank Alex Yeara for their discovery.

🎯 Affected products1

  • composer/auth0/symfony:>= 5.0.0-BETA0, <= 5.8.0

🔗 References (5)