Skip to main content

Mojolicious OAuth2 Plugin CVE-2026-9733

| EUVDEUVD-2026-38421 CRITICAL
Generation of Predictable Numbers or Identifiers (CWE-340)
2026-06-23 CPANSec GHSA-rq65-66g5-5pg2
9.1
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
6.8 MEDIUM

CSRF session hijack needs victim to click attacker link (UI:R) and successful rand()/epoch prediction (AC:H); no auth needed; full session C/I impact, no availability effect.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 23, 2026 - 15:53 vuln.today
CVSS changed
Jun 23, 2026 - 15:53 NVD
9.1 (None) 9.1 (CRITICAL)
CVE Published
Jun 23, 2026 - 07:05 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter.

When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function.

A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF).

AnalysisAI

CSRF session hijacking in Mojolicious::Plugin::Web::Auth::OAuth2 through version 0.17 for Perl stems from a predictable default state parameter built from a SHA-1 hash of leaked epoch time and Perl's weak rand(). Remote attackers can guess or precompute valid state values to forge OAuth2 authorization responses and bind a victim's session to an attacker-controlled identity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Mojolicious OAuth2 login endpoint
Delivery
Read Date header to learn epoch seed
Exploit
Brute-force rand() space to predict state
Execution
Lure victim to crafted callback URL
Persist
Victim's browser submits attacker's code with predicted state
Impact
Server binds victim session to attacker's IdP account

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the target application uses Mojolicious::Plugin::Web::Auth::OAuth2 ≤0.17 without passing a custom state generator to the constructor - applications that already override the state callback are not affected; (2) the OAuth2 callback endpoint is reachable by the attacker over the network; and (3) a victim is induced to visit an attacker-crafted authorization or callback URL while authenticated, which in practice is a user-interaction prerequisite even though CVSS encodes UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:N) reflects that an unauthenticated network attacker can compromise confidentiality and integrity of a victim's authenticated session, but the practical risk is meaningfully lower than the headline number suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker initiates an OAuth2 authorization request on the target Mojolicious application, observes the HTTP Date response header to learn the epoch seed, and brute-forces the small rand() space to precompute the SHA-1 state value the server will accept. They then lure a logged-in victim (e.g., via a phishing link or malicious page) to a crafted callback URL containing the attacker's authorization code and the precomputed state, causing the victim's session to be bound to the attacker-controlled identity provider account.
Remediation Patch available per vendor advisory: apply the official fix from https://security.metacpan.org/patches/M/Mojolicious-Plugin-Web-Auth/0.17/CVE-2026-9733-r2.patch and upgrade to the corresponding fixed release of Mojolicious-Plugin-Web-Auth once published on CPAN, as referenced in the oss-security advisory https://seclists.org/oss-sec/2026/q2/1001 and VulDB entry https://vuldb.com/vuln/372875. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems and applications using Mojolicious::Plugin::Web::Auth::OAuth2 version 0.17 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9733 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy