GHSA-3gx8-q682-38mx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3gx8-q682-38mx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-3gx8-q682-38mx/GHSA-3gx8-q682-38mx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3gx8-q682-38mx
- Aliases
-
- CVE-2026-42206
- Published
- 2026-04-29T20:51:40Z
- Modified
- 2026-05-13T13:55:48.291155Z
- Severity
-
- 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- OpenID Connect nonce generated but never validated — ID token replay attack
- Details
-
Summary
The
roadiz/openidpackage generates an OIDC nonce inOAuth2LinkGenerator::generate()and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. TheOpenIdJwtConfigurationFactoryvalidation chain does not include a nonce constraint, andOpenIdAuthenticator::authenticate()never checks the nonce claim in the returned ID token against a stored value.Details
In
src/OAuth2LinkGenerator.php, a nonce is created and sent to the IdP:'nonce' => $this->tokenGenerator->generateToken(),However, this value is neither stored in session, cache, nor any other persistent store.
In
src/OpenIdJwtConfigurationFactory.php, the JWT validation constraints are: -LooseValidAt(expiry) -PermittedFor(audience) -IssuedBy(issuer) -HostedDomain(optional) -UserInfoEndpoint(optional)No nonce constraint is present.
In
src/Authentication/OpenIdAuthenticator.php, theauthenticate()method validates the state CSRF token correctly (fixed in v2.7.10), but never retrieves a stored nonce or compares it against thenonceclaim in the ID token.PoC
- Obtain a valid ID token from a legitimate OIDC flow for a target user (e.g. via network interception, browser history leak, or referrer header exposure on a non-HTTPS redirect).
- Replay the ID token: Since the nonce in the token is never cross-checked against a client-stored value, the token passes all validation constraints as long as it has not expired.
- Result: An attacker can authenticate as the victim within the ID token's validity window.
Additionally, in an authorization code flow with multiple concurrent sessions, a malicious IdP or a compromised token endpoint could inject a token with a mismatched nonce, and the application would accept it silently.
Impact
- ID token replay attacks: Valid but intercepted tokens can be reused for authentication within their validity period.
- Token injection attacks: A malicious or compromised identity provider can inject tokens across sessions without detection.
- Affects any Roadiz application using the
roadiz/openidpackage with OpenID Connect SSO.
The OIDC Core 1.0 specification (Section 3.1.3.7) explicitly requires clients to verify the
nonceclaim if it was present in the authorization request. - Database specific
{ "cwe_ids": [ "CWE-345" ], "github_reviewed": true, "github_reviewed_at": "2026-04-29T20:51:40Z", "nvd_published_at": "2026-05-08T22:16:31Z", "severity": "MODERATE" }- References
Affected packages
Packagist / roadiz/openid
Package
- Name
- roadiz/openid
- Purl
- pkg:composer/roadiz/openid
Packagist / roadiz/openid
Package
- Name
- roadiz/openid
- Purl
- pkg:composer/roadiz/openid
Packagist / roadiz/openid
Package
- Name
- roadiz/openid
- Purl
- pkg:composer/roadiz/openid
Affected versions
v2.*
Packagist / roadiz/openid
Package
- Name
- roadiz/openid
- Purl
- pkg:composer/roadiz/openid
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.3.43