Medium severityGHSA Advisory· Published May 8, 2026· Updated May 13, 2026

CVE-2026-42206

Description

Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value. This issue has been patched in versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
roadiz/openidPackagist	>= 2.7.0, < 2.7.18	2.7.18
roadiz/openidPackagist	>= 2.6.0, < 2.6.31	2.6.31
roadiz/openidPackagist	>= 2.5.0, < 2.5.45	2.5.45
roadiz/openidPackagist	< 2.3.43	2.3.43

Affected products

Roadiz/Core Bundle Dev AppGHSA
Range: < 2.3.43

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-3gx8-q682-38mxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-42206ghsaADVISORY
github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-3gx8-q682-38mxnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000