QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-42206

Back to search

CVE-2026-42206

Published: May 8, 2026

Modified: May 13, 2026

PUBLISHED

Description

Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value. This issue has been patched in versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18.

VendorProductVersions

roadiz

core-bundle-dev-app

affected
< 2.3.43
affected
>= 2.5.0, < 2.5.45
affected
>= 2.6.0, < 2.6.31
affected
>= 2.7.0, < 2.7.18

Weaknesses (CWE)

CWE-345

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now