Description
Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value. This issue has been patched in versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18.
Published: 2026-05-08
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Roadiz CMS without patch in its openid package creates an OIDC nonce during the authorization request but never stores or revisits it upon callback. Because the nonce is not validated against a stored value, an attacker can capture and replay a legitimate ID token, allowing impersonation of an authenticated user without having to forge credentials. The vulnerability, classified as CWE-345, permits an ID token replay attack that can compromise authentication integrity.

Affected Systems

The flaw exists in the Roadiz core-bundle-dev-app for all releases prior to 2.3.43, 2.5.45, 2.6.31, and 2.7.18. Any instance of Roadiz using those older versions is vulnerable, particularly where the openid integration is active.

Risk and Exploitability

With a CVSS score of 5.7, the vulnerability carries a moderate severity rating and poses a tangible risk in environments lacking additional nonce checks. Since no EPSS value is available and the issue is not listed in CISA KEV, there is no documented active exploitation, yet the attack vector likely involves a remote attacker replaying an ID token captured during a legitimate authentication flow. The absence of nonce validation directly undermines authentication correctness and can lead to unauthorized access.

Generated by OpenCVE AI on May 8, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Roadiz core-bundle-dev-app patch, upgrading to release 2.3.43 or newer of each major line (2.5.45, 2.6.31, 2.7.18).
  • Ensure that the OIDC authentication flow checks the nonce claim against a stored value, adding a middleware component if the framework lacks this validation.
  • Implement monitoring of authentication endpoints to detect and alert on repeated use of ID token claims, providing an early warning for potential replay attempts.

Generated by OpenCVE AI on May 8, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3gx8-q682-38mx OpenID Connect nonce generated but never validated — ID token replay attack
History

Fri, 08 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Roadiz
Roadiz core-bundle-dev-app
Vendors & Products Roadiz
Roadiz core-bundle-dev-app

Fri, 08 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value. This issue has been patched in versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18.
Title Roadiz OpenID Connect nonce generated but never validated — ID token replay attack
Weaknesses CWE-345
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Roadiz Core-bundle-dev-app
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:54:32.715Z

Reserved: 2026-04-25T05:04:37.027Z

Link: CVE-2026-42206

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T22:16:31.963

Modified: 2026-05-08T22:16:31.963

Link: CVE-2026-42206

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:30:15Z

Weaknesses