What is CVE-2026-42206?

### Summary The `roadiz/openid` package generates an OIDC nonce in `OAuth2LinkGenerator::generate()` and includes it in the authorization request sent to the identity provider, but **never stores it** and **never validates it** on the callback. The `OpenIdJwtConfigurationFactory` validation chain does not include a nonce constraint, and `OpenIdAuthenticator::authenticate()` never checks the nonce claim in the returned ID token against a stored value. ### Details In `src/OAuth2LinkGenerator.php`, a nonce is created and sent to the IdP: ```php 'nonce' => $this->tokenGenerator->generateToken(), ``` However, this value is neither stored in session, cache, nor any other persistent store. In `src/OpenIdJwtConfigurationFactory.php`, the JWT validation constraints are: - `LooseValidAt` (expiry) - `PermittedFor` (audience) - `IssuedBy` (issuer) - `HostedDomain` (optional) - `UserInfoEndpoint` (optional) **No nonce constraint is present.** In `src/Authentication/OpenIdAuthenticator.php`, the `authenticate()` method validates the state CSRF token correctly (fixed in v2.7.10), but never retrieves a stored nonce or compares it against the `nonce` claim in the ID token. ### PoC 1. Obtain a valid ID token from a legitimate OIDC flow for a target user (e.g. via network interception, browser history leak, or referrer header exposure on a non-HTTPS redirect). 2. Replay the ID token: Since the nonce in the token is never cross-checked against a client-stored value, the token passes all validation constraints as long as it has not expired. 3. Result: An attacker can authenticate as the victim within the ID token's validity window. Additionally, in an authorization code flow with multiple concurrent sessions, a malicious IdP or a compromised token endpoint could inject a token with a mismatched nonce, and the application would accept it silently. ### Impact - **ID token replay attacks**: Valid but intercepted tokens can be reused for authentication within their validity period. - **Token injection attacks**: A malicious or compromised identity provider can inject tokens across sessions without detection. - Affects any Roadiz application using the `roadiz/openid` package with OpenID Connect SSO. The OIDC Core 1.0 specification (Section 3.1.3.7) explicitly requires clients to verify the `nonce` claim if it was present in the authorization request.

What is the severity of CVE-2026-42206?

CVE-2026-42206 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-42206?

No known public exploits are currently available for CVE-2026-42206.

Is there a patch available for CVE-2026-42206?

Yes, patches are available for CVE-2026-42206. Check the vendor advisories for update instructions.

CVE-2026-42206 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

The roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value.

Details

In src/OAuth2LinkGenerator.php, a nonce is created and sent to the IdP:

'nonce' => $this->tokenGenerator->generateToken(),

However, this value is neither stored in session, cache, nor any other persistent store.

In src/OpenIdJwtConfigurationFactory.php, the JWT validation constraints are:

LooseValidAt (expiry)
PermittedFor (audience)
IssuedBy (issuer)
HostedDomain (optional)
UserInfoEndpoint (optional)

No nonce constraint is present.

In src/Authentication/OpenIdAuthenticator.php, the authenticate() method validates the state CSRF token correctly (fixed in v2.7.10), but never retrieves a stored nonce or compares it against the nonce claim in the ID token.

PoC

Obtain a valid ID token from a legitimate OIDC flow for a target user (e.g. via network interception, browser history leak, or referrer header exposure on a non-HTTPS redirect).
Replay the ID token: Since the nonce in the token is never cross-checked against a client-stored value, the token passes all validation constraints as long as it has not expired.
Result: An attacker can authenticate as the victim within the ID token's validity window.

Additionally, in an authorization code flow with multiple concurrent sessions, a malicious IdP or a compromised token endpoint could inject a token with a mismatched nonce, and the application would accept it silently.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Ready for Agentic Automated Testing?

CVE-2026-42206

Summary

Details

PoC

Impact