CVE-2026-9733 | THREATINT

Description

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function. A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF).

PUBLISHED Reserved 2026-05-27 | Published 2026-06-23 | Updated 2026-06-23 | Assigner CPANSec

Problem types

CWE-340 Generation of Predictable Numbers or Identifiers

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator

Product status

Default status

unaffected

Any version

affected

References

www.openwall.com/lists/oss-security/2026/06/23/1

metacpan.org/...ce/lib/Mojolicious/Plugin/Web/Auth/OAuth2.pm

datatracker.ietf.org/doc/html/rfc6749 technical-description

security.metacpan.org/...eb-Auth/0.17/CVE-2026-9733-r2.patch patch

cve.org (CVE-2026-9733)

nvd.nist.gov (CVE-2026-9733)

Download JSON