{"id":"CVE-2026-42206","summary":"Roadiz OpenID Connect nonce generated but never validated — ID token replay attack","details":"Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value. This issue has been patched in versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18.","aliases":["GHSA-3gx8-q682-38mx"],"modified":"2026-07-08T08:05:12.352913766Z","published":"2026-05-08T21:54:32.715Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42206.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-345"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42206.json"},{"type":"ADVISORY","url":"https://github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-3gx8-q682-38mx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42206"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/roadiz/core-bundle-dev-app","events":[{"introduced":"0"},{"fixed":"1d93a7ffa9a0d466560d5c4d7d88263ac1d25924"},{"introduced":"d328f2545acb6a04bfa5e88a39f24a1462e2f076"},{"fixed":"90689e8a9332a3ded0c9d82de2597ce0a70659b2"},{"introduced":"61615a9afed0b4dcdf51ca475c1ece8f6b21968c"},{"fixed":"4883d6b62ef5c916b22b71757d8d361498ec957c"},{"introduced":"6e406d459f47e060d2954231b9b645d1698d2074"},{"fixed":"52c3f27dec73b148e0c7769624497df567e9d841"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"2.3.43"},{"introduced":"2.5.0"},{"fixed":"2.5.45"},{"introduced":"2.6.0"},{"fixed":"2.6.31"},{"introduced":"2.7.0"},{"fixed":"2.7.18"}]}}],"versions":["v2.7.17","v2.3.42","v2.5.44","v2.6.30","v2.7.16","v2.7.15","v2.7.14","v2.7.13","v2.7.12","v2.6.29","v2.7.11","v2.6.28","v2.7.10","v2.7.9","v2.3.41","v2.5.43","v2.6.27","v2.7.8","v2.7.7","v2.7.6","v2.7.5","v2.6.26","v2.7.4","v2.7.3","v2.7.2","v2.5.42","v2.5.41","v2.7.1","v2.7.0","v2.6.25","v2.6.24","v2.6.23","v2.6.22","v2.6.20","v2.5.40","v2.6.21","v2.3.40","v2.5.39","v2.6.19","v2.5.38","v2.6.18","v2.6.17","v2.5.37","v2.6.16","v2.5.36","v2.6.15","v2.5.35","v2.6.14","v2.6.13","v2.6.12","v2.5.34","v2.6.11","v2.6.10","v2.6.9","v2.6.8","v2.3.39","v2.5.33","v2.6.7","v2.6.6","v2.5.32","v2.3.38","v2.6.5","v2.6.4","v2.6.3","v2.6.2","v2.6.1","v2.6.0","v2.5.31","v2.5.30","v2.5.29","v2.5.28","v2.5.27","v2.3.37","v2.5.26","v2.5.25","v2.5.24","v2.5.23","v2.5.22","v2.5.21","v2.3.36","v2.3.35","v2.5.20","v2.5.19","v2.5.18","v2.5.17","v2.5.16","v2.5.15","v2.5.14","v2.5.13","v2.5.12","v2.5.11","v2.5.10","v2.5.9","v2.5.8","v2.5.7","v2.5.6","v2.3.34","v2.5.5","v2.5.4","v2.5.3","v2.5.2","v2.5.1","v2.5.0","v2.3.33","v2.3.32","v2.3.31","v2.3.30","v2.3.29","v2.3.28","v2.3.27","v2.3.26","v2.3.25","v2.3.24","v2.3.23","v2.3.22","v2.3.21","v2.3.20","v2.3.19","v2.3.18","v2.3.17","v2.3.16","v2.3.15","v2.3.14","v2.3.13","v2.3.12","v2.3.11","v2.3.10","v2.3.9","v2.3.8","v2.3.7","v2.3.6","v2.3.5","v2.3.4","v2.3.3","v2.3.2","v2.2.15","v2.3.1","v2.3.0","v2.2.14","v2.2.13","v2.2.12","v2.2.11","v2.2.10","v2.2.9","v2.2.8","v2.2.7","v2.2.6","v2.2.5","v2.2.4","v2.2.3","v2.2.2","v2.2.1","v2.1.51","v2.2.0","v2.1.50","v2.1.49","v2.1.48","v2.1.47","v2.1.46","v2.1.45","v2.1.44","v2.1.43","v2.1.42","v2.1.41","v2.1.40","v2.1.39","v2.1.38","v2.1.37","v2.1.36","v2.1.35","v2.1.34","v2.1.33","v2.1.32","v2.1.31","v2.1.30","v2.1.29","v2.1.28","v2.1.27","v2.1.26","v2.1.25","v2.1.24","v2.1.23","v2.1.22","v2.1.21","v2.1.20","v2.1.19","v2.1.18","v2.1.17","v2.1.16","v2.1.15","v2.1.14","v2.1.13","v2.1.12","v2.1.11","v2.1.10","v2.1.9","v2.1.8","v2.1.7","v2.1.6","v2.1.5","v2.1.4","v2.1.3","v2.1.2","v2.1.1","v2.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42206.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"}]}