How is CVE-2026-11832 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker can send crafted OAuth requests from any internet-accessible vantage point without requiring local or adjacent access. Authentication (not-required): No credentials or prior account are needed; the predictable nonce can be computed and exploited by a fully unauthenticated attacker. Victim interaction (not-required): Exploitation is fully server-side; no user action, click, or browser navigation is required to trigger the vulnerable nonce validation path. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and condition-free; an attacker only needs to compute the MD5 of the current or recent epoch timestamp to predict the nonce.

What is the impact of CVE-2026-11832?

An attacker can forge or replay OAuth authentication requests, bypassing access controls and assuming the identity of legitimate users or services. Confidential data accessible to impersonated accounts, such as session tokens, API credentials, and user records, is exposed to the attacker. An attacker can modify or submit data on behalf of impersonated identities, including writing records, changing account state, or invoking privileged API actions.

Back to search

CRITICALCVE-2026-11832Published 2026-06-15Modified 2026-06-16CNA CPANSec

CVE-2026-11832: Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce

Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 0.22
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in Dancer2::Plugin::Auth::OAuth for Perl in versions before 0.22. The plugin generates its OAuth nonce (a single-use random token meant to prevent replay attacks) using an MD5 hash of the current epoch time, making it trivially predictable by any unauthenticated attacker over the network. A successful attacker can forge or replay OAuth requests, gaining unauthorized read and write access to protected resources without valid credentials. A patched-image rebuild at version 0.22 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11832 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including the CPANSec advisory within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built Perl application images that bundle this plugin.

Available

Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) using the published v3.1 vector and weights it against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer organization based on their configured escalation rules.

Available

Patch

A patched-image rebuild pinned to Dancer2::Plugin::Auth::OAuth 0.22 becomes available in HarborGuard the moment the fix version is confirmed in the upstream advisory. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs the regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker can send crafted OAuth requests from any internet-accessible vantage point without requiring local or adjacent access.
AuthenticationNot required
No credentials or prior account are needed; the predictable nonce can be computed and exploited by a fully unauthenticated attacker.
Victim interactionNot required
Exploitation is fully server-side; no user action, click, or browser navigation is required to trigger the vulnerable nonce validation path.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and condition-free; an attacker only needs to compute the MD5 of the current or recent epoch timestamp to predict the nonce.

Blast Radius

An attacker can forge or replay OAuth authentication requests, bypassing access controls and assuming the identity of legitimate users or services.
Confidential data accessible to impersonated accounts, such as session tokens, API credentials, and user records, is exposed to the attacker.
An attacker can modify or submit data on behalf of impersonated identities, including writing records, changing account state, or invoking privileged API actions.

How HarborGuard Handles This

Available on HarborGuard: images containing Dancer2::Plugin::Auth::OAuth versions prior to 0.22 are flagged as Critical and a rebuilt image at the patched version is made available as soon as the fix is confirmed from the upstream CPANSec advisory. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, executes the configured regression test suite, and opens a pull request against affected workloads; for high and critical severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the flagged finding and the pre-built patched image are surfaced in the HarborGuard dashboard for one-click promotion. Given that the vulnerability is unauthenticated and network-reachable with no interaction required, teams that cannot immediately redeploy should consider applying network-policy rules to restrict public exposure of the OAuth endpoints as a compensating control while the patch is reviewed.

See how HarborGuard automates this

Fix available

0.22

Affected packages

BIAFRA / Dancer2::Plugin::Auth::OAuth
< 0.22 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available