CVE-2026-42206

Name of the Vulnerable Software and Affected Versions Roadiz versions prior to 2.3.43 Roadiz versions prior to 2.5.45 Roadiz versions prior to 2.6.31 Roadiz versions prior to 2.7.18

Description The roadiz/openid package fails to properly implement the OIDC nonce validation process. While the OAuth2LinkGenerator::generate() function creates a nonce and includes it in the authorization request sent to the identity provider, the value is not stored or validated during the callback. Specifically, the OpenIdJwtConfigurationFactory validation chain lacks a nonce constraint, and the OpenIdAuthenticator::authenticate() function does not verify the nonce claim in the returned ID token against a stored value. This allows for ID token replay attacks, where intercepted tokens are reused for authentication, and token injection attacks, where a compromised identity provider can inject tokens across sessions.

Recommendations Update to version 2.3.43. Update to version 2.5.45. Update to version 2.6.31. Update to version 2.7.18.