Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/roadiz/openid@2.5.14
Typecomposer
Namespaceroadiz
Nameopenid
Version2.5.14
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.5.45
Latest_non_vulnerable_version2.7.18
Affected_by_vulnerabilities
0
url VCID-8q48-sp2f-ukge
vulnerability_id VCID-8q48-sp2f-ukge
summary 
OpenID Connect nonce generated but never validated — ID token replay attack
### Summary
The `roadiz/openid` package generates an OIDC nonce in `OAuth2LinkGenerator::generate()` and includes it in the authorization request sent to the identity provider, but **never stores it** and **never validates it** on the callback. The `OpenIdJwtConfigurationFactory` validation chain does not include a nonce constraint, and `OpenIdAuthenticator::authenticate()` never checks the nonce claim in the returned ID token against a stored value.

### Details
In `src/OAuth2LinkGenerator.php`, a nonce is created and sent to the IdP:
```php
'nonce' => $this->tokenGenerator->generateToken(),
```
However, this value is neither stored in session, cache, nor any other persistent store.

In `src/OpenIdJwtConfigurationFactory.php`, the JWT validation constraints are:
- `LooseValidAt` (expiry)
- `PermittedFor` (audience)
- `IssuedBy` (issuer)
- `HostedDomain` (optional)
- `UserInfoEndpoint` (optional)

**No nonce constraint is present.**

In `src/Authentication/OpenIdAuthenticator.php`, the `authenticate()` method validates the state CSRF token correctly (fixed in v2.7.10), but never retrieves a stored nonce or compares it against the `nonce` claim in the ID token.

### PoC
1. Obtain a valid ID token from a legitimate OIDC flow for a target user (e.g. via network interception, browser history leak, or referrer header exposure on a non-HTTPS redirect).
2. Replay the ID token: Since the nonce in the token is never cross-checked against a client-stored value, the token passes all validation constraints as long as it has not expired.
3. Result: An attacker can authenticate as the victim within the ID token's validity window.

Additionally, in an authorization code flow with multiple concurrent sessions, a malicious IdP or a compromised token endpoint could inject a token with a mismatched nonce, and the application would accept it silently.

### Impact
- **ID token replay attacks**: Valid but intercepted tokens can be reused for authentication within their validity period.
- **Token injection attacks**: A malicious or compromised identity provider can inject tokens across sessions without detection.
- Affects any Roadiz application using the `roadiz/openid` package with OpenID Connect SSO.

The OIDC Core 1.0 specification (Section 3.1.3.7) explicitly requires clients to verify the `nonce` claim if it was present in the authorization request.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42206
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.06127
published_at 2026-06-05T12:55:00Z
1
value 0.00021
scoring_system epss
scoring_elements 0.06064
published_at 2026-06-08T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.06111
published_at 2026-06-07T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.06115
published_at 2026-06-06T12:55:00Z
4
value 0.00024
scoring_system epss
scoring_elements 0.07168
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42206
1
reference_url https://github.com/roadiz/core-bundle-dev-app
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/roadiz/core-bundle-dev-app
2
reference_url https://github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-3gx8-q682-38mx
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T17:19:35Z/
url https://github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-3gx8-q682-38mx
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42206
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42206
4
reference_url https://github.com/advisories/GHSA-3gx8-q682-38mx
reference_id GHSA-3gx8-q682-38mx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3gx8-q682-38mx
fixed_packages
0
url pkg:composer/roadiz/openid@2.5.45
purl pkg:composer/roadiz/openid@2.5.45
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/roadiz/openid@2.5.45
1
url pkg:composer/roadiz/openid@2.6.31
purl pkg:composer/roadiz/openid@2.6.31
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/roadiz/openid@2.6.31
2
url pkg:composer/roadiz/openid@2.7.18
purl pkg:composer/roadiz/openid@2.7.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/roadiz/openid@2.7.18
aliases CVE-2026-42206, GHSA-3gx8-q682-38mx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8q48-sp2f-ukge
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/roadiz/openid@2.5.14