CVE-2026-42206 Overview
CVE-2026-42206 affects Roadiz, a polymorphic content management system based on a node system. The vulnerability resides in the roadiz/openid package, which generates an OpenID Connect (OIDC) nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request. The package never stores the nonce and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain omits a nonce constraint, and OpenIdAuthenticator::authenticate() does not check the nonce claim in the returned ID token. The issue is tracked under [CWE-345] (Insufficient Verification of Data Authenticity) and was patched in versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18.
Critical Impact
Authenticated attackers can replay or inject OIDC ID tokens because the application does not bind the token to the originating authentication request.
Affected Products
- Roadiz CMS versions prior to 2.3.43
- Roadiz CMS versions 2.4.x and 2.5.x prior to 2.5.45
- Roadiz CMS versions 2.6.x prior to 2.6.31 and 2.7.x prior to 2.7.18
Discovery Timeline
- 2026-05-08 - CVE-2026-42206 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42206
Vulnerability Analysis
The roadiz/openid package implements the OpenID Connect authorization code flow but fails to complete the nonce handshake defined in the OIDC core specification. During the outbound authorization request, OAuth2LinkGenerator::generate() produces a random nonce value and embeds it as a query parameter sent to the identity provider. The application discards this value immediately and does not persist it in the user session or any server-side store.
When the identity provider redirects the user back to Roadiz with an ID token, OpenIdAuthenticator::authenticate() parses the JSON Web Token (JWT) and applies the validation rules built by OpenIdJwtConfigurationFactory. That factory configures signature, issuer, audience, and expiration constraints but never adds a nonce constraint. The authenticator accepts any ID token whose other claims pass validation, regardless of the nonce value it carries.
Root Cause
The root cause is missing state binding between the authorization request and the token response. OIDC nonces exist to bind an ID token to a specific browser session and defeat token replay or token injection. Roadiz generates the nonce but treats it as a write-only value, breaking the cryptographic link the protocol expects.
Attack Vector
An attacker who obtains a valid ID token issued for a Roadiz callback endpoint can replay that token within its validity window. Because the application does not compare the token's nonce claim to a stored expected value, replayed or substituted tokens authenticate successfully. The flaw also weakens defenses against cross-site request forgery on the OIDC callback when state parameter validation alone is relied upon. Exploitation requires network access to the callback endpoint and possession of a valid token, consistent with the low-privilege, network-based attack profile described in the advisory.
No verified proof-of-concept code is available. See the GitHub Security Advisory for vendor technical details.
Detection Methods for CVE-2026-42206
Indicators of Compromise
- Multiple successful OIDC authentications from different source IP addresses using ID tokens that share the same nonce claim value.
- Application logs showing successful logins via the OpenIdAuthenticator without a corresponding outbound authorization request earlier in the session.
- Unexpected user account access immediately following exposure of authorization code or ID token values in referrer logs, proxy logs, or browser history.
Detection Strategies
- Audit Roadiz authentication logs for ID token reuse by correlating the jti and nonce claims across distinct sessions.
- Compare timestamps between the issuance of authorization requests and the receipt of callbacks to identify anomalously long gaps consistent with token replay.
- Instrument the callback handler to log the decoded ID token claims and flag tokens whose nonce does not match any recently issued value.
Monitoring Recommendations
- Forward Roadiz authentication events to a centralized SIEM and alert on repeated use of identical nonce or jti values.
- Monitor identity provider logs for token issuance patterns that do not correlate with Roadiz session initiation events.
- Track callback endpoint requests from unexpected geographies or user agents associated with established Roadiz accounts.
How to Mitigate CVE-2026-42206
Immediate Actions Required
- Upgrade Roadiz to version 2.3.43, 2.5.45, 2.6.31, or 2.7.18 depending on the deployed release branch.
- Invalidate all active OIDC sessions and force re-authentication after applying the patch.
- Rotate any OIDC client secrets shared between Roadiz and the identity provider if token exposure is suspected.
Patch Information
The maintainers fixed the issue across four release branches: 2.3.43, 2.5.45, 2.6.31, and 2.7.18. The patches store the generated nonce in the user session during OAuth2LinkGenerator::generate() and add a nonce constraint to the JWT validation chain in OpenIdJwtConfigurationFactory, which OpenIdAuthenticator::authenticate() now enforces against the stored value. Review the GitHub Security Advisory GHSA-3gx8-q682-38mx for the full patch description.
Workarounds
- Restrict access to the Roadiz OIDC callback endpoint to trusted networks until the patch is applied.
- Configure the upstream identity provider to issue short-lived ID tokens to reduce the replay window.
- Enable additional session binding controls such as IP pinning or device fingerprinting on the Roadiz application layer.
# Update Roadiz via Composer to a patched release
composer require roadiz/core-bundle:^2.7.18
composer update roadiz/openid
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
