CVE-2026-42206— Roadiz OpenID Connect nonce generated but never validated — ID token replay attack

Roadiz OpenID Connect nonce generated but never validated — ID token replay attack

Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value. This issue has been patched in versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18.

N/A

对数据真实性的验证不充分

Roadiz Document base system 数据伪造问题漏洞

Roadiz Document base system是Roadiz开源的一个基于文档的HTML模板渲染系统。 Roadiz Document base system 2.3.43之前版本、2.5.45之前版本、2.6.31之前版本和2.7.18之前版本存在数据伪造问题漏洞，该漏洞源于OAuth2LinkGenerator::generate()生成OIDC nonce但从未存储且从未在回调中验证，OpenIdJwtConfigurationFactory验证链不包含nonce约束，且OpenIdAuth

N/A

N/A