GHSA-rfx5-x6rx-6w25
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Network reachable and low complexity with no attacker auth (PR:N), but the callback must be delivered to a victim (UI:R); resulting account link grants high confidentiality/integrity impact and no availability effect.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
7Description PRE-NVD
AnalysisAI
Login cross-site request forgery in Plack::Middleware::OAuth through 0.10 (Perl/PSGI OAuth login middleware) lets an unauthenticated remote attacker bind their own provider identity to a victim's session because the OAuth 2.0 flow omits the anti-CSRF state parameter and never verifies that a callback belongs to the session that initiated the flow. With victim interaction (clicking an attacker-supplied callback URL), the attacker's provider account and access token become associated with the victim's session, and where the app persists this as an account link the attacker retains ongoing access to the victim's account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses Plack::Middleware::OAuth (<=0.10) specifically for OAuth 2.0 login via the RequestTokenV2/AccessTokenV2 handlers, and that the victim be induced to load an attacker-crafted OAuth callback URL while holding a session on the app (UI:R - the victim must click or otherwise trigger the callback request). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a genuine but interaction-gated integrity risk rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker begins an OAuth 2.0 authorization at the target application using their own provider account, capturing the resulting authorization callback URL/code. They then lure a victim (via a phishing email or a hidden link/auto-submitting page) into visiting that callback URL while the victim has a session on the vulnerable app; because AccessTokenV2 does not verify any state binding, the victim's session completes the attacker's authorization and registers the attacker's provider identity and token, and where the app stores this as an account link the attacker gains persistent access to the victim's account. … |
| Remediation | Upstream fix available (PR/commit); a released patched version is not independently confirmed from the provided data, so apply the fix from GitHub PR #13 (https://github.com/c9s/Plack-Middleware-OAuth/pull/13) or the official patch at https://security.metacpan.org/patches/P/Plack-Middleware-OAuth/0.10/CVE-2026-12740-r1.patch, which adds CSPRNG-backed state generation/validation and requires Plack::Middleware::Session >= 0.35 plus Crypt::SysRandom; watch CPAN (https://metacpan.org/dist/Plack-Middleware-OAuth) for a tagged release above 0.10 and track RT ticket https://rt.cpan.org/Ticket/Display.html?id=179874 and the oss-security advisory https://seclists.org/oss-sec/2026/q3/27. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all applications using Plack::Middleware::OAuth and document current versions deployed. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41687