CVE-2026-9733
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter.
When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function.
A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| HAYAJO | Mojolicious::Plugin::Web::Auth::OAuth2 | 0 <= 0.17 | affected |
Weaknesses
- CWE-340: CWE-340 Generation of Predictable Numbers or Identifiers
- CWE-338: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
Workarounds
Users should specify a state_generator function in the plugin configuration that uses a secure CSPRNG such as Crypt::PRNG or (for Mojolicious 9.46 or later) the Mojo::Util::random_bytes function. For example,
plugin 'Web::Auth', module => 'OAuth2', … state_generator => sub { unpack("H*", Mojo::Util::random_bytes(20)) };
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://metacpan.org/release/HAYAJO/Mojolicious-Plugin-Web-Auth-0.17/source/lib/Mojolicious/Plugin/Web/Auth/OAuth2.pm#L129-131
- https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
- https://security.metacpan.org/patches/M/Mojolicious-Plugin-Web-Auth/0.17/CVE-2026-9733-r2.patch
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.