CVE-2026-42206

Source
https://cve.org/CVERecord?id=CVE-2026-42206
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42206.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42206
Aliases
Published
2026-05-08T21:54:32.715Z
Modified
2026-07-08T08:05:12.352913766Z
Severity
  • 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Roadiz OpenID Connect nonce generated but never validated — ID token replay attack
Details

Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value. This issue has been patched in versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42206.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-345"
    ]
}
References

Affected packages

Git / github.com/roadiz/core-bundle-dev-app

Affected ranges

Type
GIT
Repo
https://github.com/roadiz/core-bundle-dev-app
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.3.43"
        },
        {
            "introduced": "2.5.0"
        },
        {
            "fixed": "2.5.45"
        },
        {
            "introduced": "2.6.0"
        },
        {
            "fixed": "2.6.31"
        },
        {
            "introduced": "2.7.0"
        },
        {
            "fixed": "2.7.18"
        }
    ]
}

Affected versions

v2.*
v2.1.0
v2.1.1
v2.1.10
v2.1.11
v2.1.12
v2.1.13
v2.1.14
v2.1.15
v2.1.16
v2.1.17
v2.1.18
v2.1.19
v2.1.2
v2.1.20
v2.1.21
v2.1.22
v2.1.23
v2.1.24
v2.1.25
v2.1.26
v2.1.27
v2.1.28
v2.1.29
v2.1.3
v2.1.30
v2.1.31
v2.1.32
v2.1.33
v2.1.34
v2.1.35
v2.1.36
v2.1.37
v2.1.38
v2.1.39
v2.1.4
v2.1.40
v2.1.41
v2.1.42
v2.1.43
v2.1.44
v2.1.45
v2.1.46
v2.1.47
v2.1.48
v2.1.49
v2.1.5
v2.1.50
v2.1.51
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.15
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.3.0
v2.3.1
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.17
v2.3.18
v2.3.19
v2.3.2
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.24
v2.3.25
v2.3.26
v2.3.27
v2.3.28
v2.3.29
v2.3.3
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.4
v2.3.40
v2.3.41
v2.3.42
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.5.0
v2.5.1
v2.5.10
v2.5.11
v2.5.12
v2.5.13
v2.5.14
v2.5.15
v2.5.16
v2.5.17
v2.5.18
v2.5.19
v2.5.2
v2.5.20
v2.5.21
v2.5.22
v2.5.23
v2.5.24
v2.5.25
v2.5.26
v2.5.27
v2.5.28
v2.5.29
v2.5.3
v2.5.30
v2.5.31
v2.5.32
v2.5.33
v2.5.34
v2.5.35
v2.5.36
v2.5.37
v2.5.38
v2.5.39
v2.5.4
v2.5.40
v2.5.41
v2.5.42
v2.5.43
v2.5.44
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.6.0
v2.6.1
v2.6.10
v2.6.11
v2.6.12
v2.6.13
v2.6.14
v2.6.15
v2.6.16
v2.6.17
v2.6.18
v2.6.19
v2.6.2
v2.6.20
v2.6.21
v2.6.22
v2.6.23
v2.6.24
v2.6.25
v2.6.26
v2.6.27
v2.6.28
v2.6.29
v2.6.3
v2.6.30
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.7.0
v2.7.1
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42206.json"