Roadiz OpenID CVE-2026-42206
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Summary
The roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value.
Details
In src/OAuth2LinkGenerator.php, a nonce is created and sent to the IdP:
'nonce' => $this->tokenGenerator->generateToken(),However, this value is neither stored in session, cache, nor any other persistent store.
In src/OpenIdJwtConfigurationFactory.php, the JWT validation constraints are:
LooseValidAt(expiry)PermittedFor(audience)IssuedBy(issuer)HostedDomain(optional)UserInfoEndpoint(optional)
No nonce constraint is present.
In src/Authentication/OpenIdAuthenticator.php, the authenticate() method validates the state CSRF token correctly (fixed in v2.7.10), but never retrieves a stored nonce or compares it against the nonce claim in the ID token.
PoC
- Obtain a valid ID token from a legitimate OIDC flow for a target user (e.g. via network interception, browser history leak, or referrer header exposure on a non-HTTPS redirect).
- Replay the ID token: Since the nonce in the token is never cross-checked against a client-stored value, the token passes all validation constraints as long as it has not expired.
- Result: An attacker can authenticate as the victim within the ID token's validity window.
Additionally, in an authorization code flow with multiple concurrent sessions, a malicious IdP or a compromised token endpoint could inject a token with a mismatched nonce, and the application would accept it silently.
Impact
- ID token replay attacks: Valid but intercepted tokens can be reused for authentication within their validity period.
- Token injection attacks: A malicious or compromised identity provider can inject tokens across sessions without detection.
- Affects any Roadiz application using the
roadiz/openidpackage with OpenID Connect SSO.
The OIDC Core 1.0 specification (Section 3.1.3.7) explicitly requires clients to verify the nonce claim if it was present in the authorization request.
AnalysisAI
Roadiz OpenID Connect authentication fails to store and validate the nonce parameter, allowing attackers to replay valid ID tokens or inject tokens from compromised identity providers to impersonate users. The package generates a nonce during authorization request initiation but never validates the returned nonce claim in the ID token, violating OIDC Core 1.0 specification requirements. Publicly available proof-of-concept demonstrates token replay within the token's validity window, affecting all Roadiz applications using the roadiz/openid package versions before 2.7.18, 2.6.31, 2.5.45, or 2.3.43.
Technical ContextAI
OpenID Connect (OIDC) is a delegation protocol layered on OAuth 2.0 that standardizes authentication flows using JSON Web Tokens (JWT). The nonce parameter is a cryptographic mitigation against token replay and injection attacks, required by OIDC Core 1.0 Section 3.1.3.7. In the roadiz/openid package (Composer package pkg:composer/roadiz/openid), the OAuth2LinkGenerator generates a random nonce token and includes it in the authorization request to the identity provider, but the implementation has three critical gaps: the nonce is never persisted to session or cache storage; the OpenIdJwtConfigurationFactory JWT validation chain omits nonce constraint validation, checking only expiry (LooseValidAt), audience (PermittedFor), issuer (IssuedBy), and optional hosted domain and userinfo endpoint constraints; and OpenIdAuthenticator::authenticate() performs state CSRF token validation correctly but never retrieves a stored nonce or compares it against the nonce claim in the returned ID token. This violates the OIDC specification requirement that clients validate the nonce claim if present in the authorization request, creating a gap in the validation chain that allows cryptographically valid but semantically invalid tokens to be accepted. The root cause is classified under CWE-345 (Insufficient Verification of Data Authenticity).
RemediationAI
Upgrade roadiz/openid to version 2.7.18 or later (recommended for users on 2.7.x branch), 2.6.31 or later (for 2.6.x branch), 2.5.45 or later (for 2.5.x branch), or 2.3.43 or later (for legacy 2.3.x installations). The patched versions implement proper nonce storage in the session/cache during authorization request generation and validate the nonce claim in the returned ID token JWT before accepting authentication. Update via Composer: composer update roadiz/openid to pull the latest compatible patched version. No workarounds are available for applications that cannot immediately patch; however, as a temporary but incomplete compensating control, disable OpenID Connect SSO (reverting to alternative authentication methods) until patches can be deployed - this eliminates the attack vector entirely but may disrupt user workflows. Apply patches as soon as feasible, as the attack requires only token interception (a passive network-based attack) and is effective against all active user sessions within the token validity window. Refer to vendor advisory at https://github.com/advisories/GHSA-3gx8-q682-38mx for detailed patch notes and compatibility information.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-3gx8-q682-38mx