CVE-2026-42206
OpenID Nonce Validation Bypass in Roadiz
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roadiz | roadiz | to 2.7.18 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the roadiz/openid package of the Roadiz content management system prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18. The package generates an OpenID Connect (OIDC) nonce during the OAuth2 authorization request but fails to store and validate this nonce when the identity provider returns the response. Specifically, the nonce is included in the authorization request but is never checked against a stored value upon callback, and the validation chain does not enforce a nonce constraint. This flaw can allow attackers to perform replay or token substitution attacks because the nonce, which is meant to prevent such attacks, is not properly verified.
How can this vulnerability impact me? :
The lack of nonce validation in the OpenID Connect authentication flow can lead to security risks such as replay attacks or token substitution. An attacker might reuse or manipulate authentication tokens to impersonate users or gain unauthorized access. This undermines the integrity of the authentication process, potentially allowing attackers to bypass security controls and access protected resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the roadiz/openid package to one of the patched versions: 2.3.43, 2.5.45, 2.6.31, or 2.7.18.