GHSA-3GX8-Q682-38MX

Vulnerability from github – Published: 2026-04-29 20:51 – Updated: 2026-05-13 13:38
VLAI
Summary
OpenID Connect nonce generated but never validated — ID token replay attack
Details

Summary

The roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value.

Details

In src/OAuth2LinkGenerator.php, a nonce is created and sent to the IdP:

'nonce' => $this->tokenGenerator->generateToken(),

However, this value is neither stored in session, cache, nor any other persistent store.

In src/OpenIdJwtConfigurationFactory.php, the JWT validation constraints are: - LooseValidAt (expiry) - PermittedFor (audience) - IssuedBy (issuer) - HostedDomain (optional) - UserInfoEndpoint (optional)

No nonce constraint is present.

In src/Authentication/OpenIdAuthenticator.php, the authenticate() method validates the state CSRF token correctly (fixed in v2.7.10), but never retrieves a stored nonce or compares it against the nonce claim in the ID token.

PoC

  1. Obtain a valid ID token from a legitimate OIDC flow for a target user (e.g. via network interception, browser history leak, or referrer header exposure on a non-HTTPS redirect).
  2. Replay the ID token: Since the nonce in the token is never cross-checked against a client-stored value, the token passes all validation constraints as long as it has not expired.
  3. Result: An attacker can authenticate as the victim within the ID token's validity window.

Additionally, in an authorization code flow with multiple concurrent sessions, a malicious IdP or a compromised token endpoint could inject a token with a mismatched nonce, and the application would accept it silently.

Impact

  • ID token replay attacks: Valid but intercepted tokens can be reused for authentication within their validity period.
  • Token injection attacks: A malicious or compromised identity provider can inject tokens across sessions without detection.
  • Affects any Roadiz application using the roadiz/openid package with OpenID Connect SSO.

The OIDC Core 1.0 specification (Section 3.1.3.7) explicitly requires clients to verify the nonce claim if it was present in the authorization request.

Severity
5.7 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "roadiz/openid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "roadiz/openid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "roadiz/openid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.45"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "roadiz/openid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.43"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T20:51:40Z",
    "nvd_published_at": "2026-05-08T22:16:31Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe `roadiz/openid` package generates an OIDC nonce in `OAuth2LinkGenerator::generate()` and includes it in the authorization request sent to the identity provider, but **never stores it** and **never validates it** on the callback. The `OpenIdJwtConfigurationFactory` validation chain does not include a nonce constraint, and `OpenIdAuthenticator::authenticate()` never checks the nonce claim in the returned ID token against a stored value.\n\n### Details\nIn `src/OAuth2LinkGenerator.php`, a nonce is created and sent to the IdP:\n```php\n\u0027nonce\u0027 =\u003e $this-\u003etokenGenerator-\u003egenerateToken(),\n```\nHowever, this value is neither stored in session, cache, nor any other persistent store.\n\nIn `src/OpenIdJwtConfigurationFactory.php`, the JWT validation constraints are:\n- `LooseValidAt` (expiry)\n- `PermittedFor` (audience)\n- `IssuedBy` (issuer)\n- `HostedDomain` (optional)\n- `UserInfoEndpoint` (optional)\n\n**No nonce constraint is present.**\n\nIn `src/Authentication/OpenIdAuthenticator.php`, the `authenticate()` method validates the state CSRF token correctly (fixed in v2.7.10), but never retrieves a stored nonce or compares it against the `nonce` claim in the ID token.\n\n### PoC\n1. Obtain a valid ID token from a legitimate OIDC flow for a target user (e.g. via network interception, browser history leak, or referrer header exposure on a non-HTTPS redirect).\n2. Replay the ID token: Since the nonce in the token is never cross-checked against a client-stored value, the token passes all validation constraints as long as it has not expired.\n3. Result: An attacker can authenticate as the victim within the ID token\u0027s validity window.\n\nAdditionally, in an authorization code flow with multiple concurrent sessions, a malicious IdP or a compromised token endpoint could inject a token with a mismatched nonce, and the application would accept it silently.\n\n### Impact\n- **ID token replay attacks**: Valid but intercepted tokens can be reused for authentication within their validity period.\n- **Token injection attacks**: A malicious or compromised identity provider can inject tokens across sessions without detection.\n- Affects any Roadiz application using the `roadiz/openid` package with OpenID Connect SSO.\n\nThe OIDC Core 1.0 specification (Section 3.1.3.7) explicitly requires clients to verify the `nonce` claim if it was present in the authorization request.",
  "id": "GHSA-3gx8-q682-38mx",
  "modified": "2026-05-13T13:38:01Z",
  "published": "2026-04-29T20:51:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-3gx8-q682-38mx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42206"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/roadiz/core-bundle-dev-app"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenID Connect nonce generated but never validated \u2014 ID token replay attack"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.