Skip to main content

Plack::Middleware::OAuth EUVDEUVD-2026-41687

| CVE-2026-12740 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
8.1
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network reachable and low complexity with no attacker auth (PR:N), but the callback must be delivered to a victim (UI:R); resulting account link grants high confidentiality/integrity impact and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jul 06, 2026 - 15:43 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 06, 2026 - 15:43 vuln.today
Analysis Updated
Jul 06, 2026 - 15:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 15:37 vuln.today
cvss_changed
Severity Changed
Jul 06, 2026 - 15:37 NVD
CRITICAL HIGH
CVSS changed
Jul 06, 2026 - 15:37 NVD
8.1 (CRITICAL) 8.1 (HIGH)
Analysis Generated
Jul 04, 2026 - 18:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Login cross-site request forgery in Plack::Middleware::OAuth through 0.10 (Perl/PSGI OAuth login middleware) lets an unauthenticated remote attacker bind their own provider identity to a victim's session because the OAuth 2.0 flow omits the anti-CSRF state parameter and never verifies that a callback belongs to the session that initiated the flow. With victim interaction (clicking an attacker-supplied callback URL), the attacker's provider account and access token become associated with the victim's session, and where the app persists this as an account link the attacker retains ongoing access to the victim's account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register attacker OAuth provider account
Delivery
Start authorization, capture callback code
Exploit
Deliver callback URL to victim
Execution
Victim session exchanges attacker's code
Persist
Attacker identity linked to victim session
Impact
Persistent access to victim account

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses Plack::Middleware::OAuth (<=0.10) specifically for OAuth 2.0 login via the RequestTokenV2/AccessTokenV2 handlers, and that the victim be induced to load an attacker-crafted OAuth callback URL while holding a session on the app (UI:R - the victim must click or otherwise trigger the callback request). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a genuine but interaction-gated integrity risk rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker begins an OAuth 2.0 authorization at the target application using their own provider account, capturing the resulting authorization callback URL/code. They then lure a victim (via a phishing email or a hidden link/auto-submitting page) into visiting that callback URL while the victim has a session on the vulnerable app; because AccessTokenV2 does not verify any state binding, the victim's session completes the attacker's authorization and registers the attacker's provider identity and token, and where the app stores this as an account link the attacker gains persistent access to the victim's account. …
Remediation Upstream fix available (PR/commit); a released patched version is not independently confirmed from the provided data, so apply the fix from GitHub PR #13 (https://github.com/c9s/Plack-Middleware-OAuth/pull/13) or the official patch at https://security.metacpan.org/patches/P/Plack-Middleware-OAuth/0.10/CVE-2026-12740-r1.patch, which adds CSPRNG-backed state generation/validation and requires Plack::Middleware::Session >= 0.35 plus Crypt::SysRandom; watch CPAN (https://metacpan.org/dist/Plack-Middleware-OAuth) for a tagged release above 0.10 and track RT ticket https://rt.cpan.org/Ticket/Display.html?id=179874 and the oss-security advisory https://seclists.org/oss-sec/2026/q3/27. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all applications using Plack::Middleware::OAuth and document current versions deployed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41687 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy