Home

Description

Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value. This issue has been patched in versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18.

PUBLISHED Reserved 2026-04-25 | Published 2026-05-08 | Updated 2026-05-08 | Assigner GitHub_M




MEDIUM: 5.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Problem types

CWE-345: Insufficient Verification of Data Authenticity

Product status

< 2.3.43
affected

>= 2.5.0, < 2.5.45
affected

>= 2.6.0, < 2.6.31
affected

>= 2.7.0, < 2.7.18
affected

References

github.com/...ev-app/security/advisories/GHSA-3gx8-q682-38mx

cve.org (CVE-2026-42206)

nvd.nist.gov (CVE-2026-42206)

Download JSON