Polymorphic CMS Vulnerability in Roadiz Affects OAuth2 Integration
CVE-2026-42206

5.7MEDIUM

Key Information:

Vendor: Roadiz
Status: Core-bundle-dev-app
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42206?

The Roadiz CMS contains a security flaw in its OIDC implementation where it generates a nonce for OAuth2 authorization requests but fails to store or validate this nonce on callbacks. This oversight permits potential attacks as the nonce, which is meant to prevent replay attacks, is not checked against a stored value during authentication. Users running affected versions should update to patched releases to mitigate this vulnerability.

Affected Version(s)

core-bundle-dev-app < 2.3.43 < 2.3.43

core-bundle-dev-app >= 2.5.0, < 2.5.45 < 2.5.0, 2.5.45

core-bundle-dev-app >= 2.6.0, < 2.6.31 < 2.6.0, 2.6.31

References

https://github.com/roadiz/core-bundle-dev-app/security/ad...

x_refsource_CONFIRM

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42206 Data

JSON