{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "2.3.43"
              },
              {
                "introduced": "2.5.0"
              },
              {
                "fixed": "2.5.45"
              },
              {
                "introduced": "2.6.0"
              },
              {
                "fixed": "2.6.31"
              },
              {
                "introduced": "2.7.0"
              },
              {
                "fixed": "2.7.18"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1d93a7ffa9a0d466560d5c4d7d88263ac1d25924"
            },
            {
              "introduced": "d328f2545acb6a04bfa5e88a39f24a1462e2f076"
            },
            {
              "fixed": "90689e8a9332a3ded0c9d82de2597ce0a70659b2"
            },
            {
              "introduced": "61615a9afed0b4dcdf51ca475c1ece8f6b21968c"
            },
            {
              "fixed": "4883d6b62ef5c916b22b71757d8d361498ec957c"
            },
            {
              "introduced": "6e406d459f47e060d2954231b9b645d1698d2074"
            },
            {
              "fixed": "52c3f27dec73b148e0c7769624497df567e9d841"
            }
          ],
          "repo": "https://github.com/roadiz/core-bundle-dev-app",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-3gx8-q682-38mx"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-345"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42206.json"
  },
  "details": "Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value. This issue has been patched in versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18.",
  "id": "CVE-2026-42206",
  "modified": "2026-07-08T05:38:07.864404672Z",
  "published": "2026-05-08T21:54:32.715Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42206.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-3gx8-q682-38mx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42206"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Roadiz OpenID Connect nonce generated but never validated — ID token replay attack"
}