Skip to main content

Roadiz OpenID CVE-2026-42206

MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-04-29 https://github.com/roadiz/core-bundle-dev-app GHSA-3gx8-q682-38mx
5.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
May 08, 2026 - 22:22 NVD
5.7 (MEDIUM)
Source Code Evidence Fetched
Apr 29, 2026 - 21:00 vuln.today
Analysis Generated
Apr 29, 2026 - 21:00 vuln.today
Analysis Generated
Apr 29, 2026 - 20:57 vuln.today
CVE Published
Apr 29, 2026 - 20:51 nvd
MEDIUM

DescriptionGitHub Advisory

Summary

The roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value.

Details

In src/OAuth2LinkGenerator.php, a nonce is created and sent to the IdP:

php
'nonce' => $this->tokenGenerator->generateToken(),

However, this value is neither stored in session, cache, nor any other persistent store.

In src/OpenIdJwtConfigurationFactory.php, the JWT validation constraints are:

  • LooseValidAt (expiry)
  • PermittedFor (audience)
  • IssuedBy (issuer)
  • HostedDomain (optional)
  • UserInfoEndpoint (optional)

No nonce constraint is present.

In src/Authentication/OpenIdAuthenticator.php, the authenticate() method validates the state CSRF token correctly (fixed in v2.7.10), but never retrieves a stored nonce or compares it against the nonce claim in the ID token.

PoC

  1. Obtain a valid ID token from a legitimate OIDC flow for a target user (e.g. via network interception, browser history leak, or referrer header exposure on a non-HTTPS redirect).
  2. Replay the ID token: Since the nonce in the token is never cross-checked against a client-stored value, the token passes all validation constraints as long as it has not expired.
  3. Result: An attacker can authenticate as the victim within the ID token's validity window.

Additionally, in an authorization code flow with multiple concurrent sessions, a malicious IdP or a compromised token endpoint could inject a token with a mismatched nonce, and the application would accept it silently.

Impact

  • ID token replay attacks: Valid but intercepted tokens can be reused for authentication within their validity period.
  • Token injection attacks: A malicious or compromised identity provider can inject tokens across sessions without detection.
  • Affects any Roadiz application using the roadiz/openid package with OpenID Connect SSO.

The OIDC Core 1.0 specification (Section 3.1.3.7) explicitly requires clients to verify the nonce claim if it was present in the authorization request.

AnalysisAI

Roadiz OpenID Connect authentication fails to store and validate the nonce parameter, allowing attackers to replay valid ID tokens or inject tokens from compromised identity providers to impersonate users. The package generates a nonce during authorization request initiation but never validates the returned nonce claim in the ID token, violating OIDC Core 1.0 specification requirements. Publicly available proof-of-concept demonstrates token replay within the token's validity window, affecting all Roadiz applications using the roadiz/openid package versions before 2.7.18, 2.6.31, 2.5.45, or 2.3.43.

Technical ContextAI

OpenID Connect (OIDC) is a delegation protocol layered on OAuth 2.0 that standardizes authentication flows using JSON Web Tokens (JWT). The nonce parameter is a cryptographic mitigation against token replay and injection attacks, required by OIDC Core 1.0 Section 3.1.3.7. In the roadiz/openid package (Composer package pkg:composer/roadiz/openid), the OAuth2LinkGenerator generates a random nonce token and includes it in the authorization request to the identity provider, but the implementation has three critical gaps: the nonce is never persisted to session or cache storage; the OpenIdJwtConfigurationFactory JWT validation chain omits nonce constraint validation, checking only expiry (LooseValidAt), audience (PermittedFor), issuer (IssuedBy), and optional hosted domain and userinfo endpoint constraints; and OpenIdAuthenticator::authenticate() performs state CSRF token validation correctly but never retrieves a stored nonce or compares it against the nonce claim in the returned ID token. This violates the OIDC specification requirement that clients validate the nonce claim if present in the authorization request, creating a gap in the validation chain that allows cryptographically valid but semantically invalid tokens to be accepted. The root cause is classified under CWE-345 (Insufficient Verification of Data Authenticity).

RemediationAI

Upgrade roadiz/openid to version 2.7.18 or later (recommended for users on 2.7.x branch), 2.6.31 or later (for 2.6.x branch), 2.5.45 or later (for 2.5.x branch), or 2.3.43 or later (for legacy 2.3.x installations). The patched versions implement proper nonce storage in the session/cache during authorization request generation and validate the nonce claim in the returned ID token JWT before accepting authentication. Update via Composer: composer update roadiz/openid to pull the latest compatible patched version. No workarounds are available for applications that cannot immediately patch; however, as a temporary but incomplete compensating control, disable OpenID Connect SSO (reverting to alternative authentication methods) until patches can be deployed - this eliminates the attack vector entirely but may disrupt user workflows. Apply patches as soon as feasible, as the attack requires only token interception (a passive network-based attack) and is effective against all active user sessions within the token validity window. Refer to vendor advisory at https://github.com/advisories/GHSA-3gx8-q682-38mx for detailed patch notes and compatibility information.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-42206 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy