CVE-2026-9733
CRITICALMojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter
Title source: cnaDescription
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function. A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF).
References (4)
Core 4
Core References
Technical Description technical-description
https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
Scores
CVSS v3
9.1
EPSS
0.0034
EPSS Percentile
25.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-338
CWE-340
Status
published
Products (1)
HAYAJO/Mojolicious::Plugin::Web::Auth::OAuth2
< 0.17
Published
Jun 23, 2026
Tracked Since
Jun 23, 2026