Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CSRF session hijack needs victim to click attacker link (UI:R) and successful rand()/epoch prediction (AC:H); no auth needed; full session C/I impact, no availability effect.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter.
When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function.
A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF).
AnalysisAI
CSRF session hijacking in Mojolicious::Plugin::Web::Auth::OAuth2 through version 0.17 for Perl stems from a predictable default state parameter built from a SHA-1 hash of leaked epoch time and Perl's weak rand(). Remote attackers can guess or precompute valid state values to forge OAuth2 authorization responses and bind a victim's session to an attacker-controlled identity. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the target application uses Mojolicious::Plugin::Web::Auth::OAuth2 ≤0.17 without passing a custom state generator to the constructor - applications that already override the state callback are not affected; (2) the OAuth2 callback endpoint is reachable by the attacker over the network; and (3) a victim is induced to visit an attacker-crafted authorization or callback URL while authenticated, which in practice is a user-interaction prerequisite even though CVSS encodes UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:N) reflects that an unauthenticated network attacker can compromise confidentiality and integrity of a victim's authenticated session, but the practical risk is meaningfully lower than the headline number suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker initiates an OAuth2 authorization request on the target Mojolicious application, observes the HTTP Date response header to learn the epoch seed, and brute-forces the small rand() space to precompute the SHA-1 state value the server will accept. They then lure a logged-in victim (e.g., via a phishing link or malicious page) to a crafted callback URL containing the attacker's authorization code and the precomputed state, causing the victim's session to be bound to the attacker-controlled identity provider account. |
| Remediation | Patch available per vendor advisory: apply the official fix from https://security.metacpan.org/patches/M/Mojolicious-Plugin-Web-Auth/0.17/CVE-2026-9733-r2.patch and upgrade to the corresponding fixed release of Mojolicious-Plugin-Web-Auth once published on CPAN, as referenced in the oss-security advisory https://seclists.org/oss-sec/2026/q2/1001 and VulDB entry https://vuldb.com/vuln/372875. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems and applications using Mojolicious::Plugin::Web::Auth::OAuth2 version 0.17 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mojolicious
View allMojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC sessio
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38421
GHSA-rq65-66g5-5pg2