CVE-2026-9733

CRITICAL

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter

Title source: cna
STIX 2.1

Description

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function. A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF).

Scores

CVSS v3 9.1
EPSS 0.0034
EPSS Percentile 25.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-338 CWE-340
Status published
Products (1)
HAYAJO/Mojolicious::Plugin::Web::Auth::OAuth2 < 0.17
Published Jun 23, 2026
Tracked Since Jun 23, 2026