CVE-2026-42206 Roadiz OpenID Connect nonce generated but never validated — ID token replay attack

🗓️ 08 May 2026 21:54:32Reported by GitHub_MType

CVE-2026-42206: Roadiz OpenID Connect nonce is generated but not validated, enabling ID token replay.

Reporter	Title	Published	Views	Family All 11
ATTACKERKB	CVE-2026-42206	8 May 202621:54	–	attackerkb
Circl	CVE-2026-42206	8 May 202622:43	–	circl
CNNVD	Roadiz Document base system 数据伪造问题漏洞	8 May 202600:00	–	cnnvd
CVE	CVE-2026-42206	8 May 202621:54	–	cve
Github Security Blog	OpenID Connect nonce generated but never validated — ID token replay attack	29 Apr 202620:51	–	github
NVD	CVE-2026-42206	8 May 202622:16	–	nvd
OSV	GHSA-3GX8-Q682-38MX OpenID Connect nonce generated but never validated — ID token replay attack	29 Apr 202620:51	–	osv
Positive Technologies	PT-2026-37178	29 Apr 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-42206	13 May 202620:23	–	redhatcve
Snyk	Insufficient Verification of Data Authenticity	29 Apr 202620:51	–	snyk

[
  {
    "vendor": "roadiz",
    "product": "core-bundle-dev-app",
    "versions": [
      {
        "version": "< 2.3.43",
        "status": "affected"
      },
      {
        "version": ">= 2.5.0, < 2.5.45",
        "status": "affected"
      },
      {
        "version": ">= 2.6.0, < 2.6.31",
        "status": "affected"
      },
      {
        "version": ">= 2.7.0, < 2.7.18",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-3gx8-q682-38mx

08 May 2026 21:54Current

CVSS 47.1

EPSS0.00021

CWE-345