HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-9733Published Modified CNA CPANSec

CVE-2026-9733: Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function. A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF).

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an insecure-default CSRF protection bypass in Mojolicious::Plugin::Web::Auth::OAuth2 (Perl), versions through 0.17. The module generates its OAuth2 state parameter using a SHA-1 hash of low-entropy inputs including epoch time (leaked in the HTTP Date response header) and Perl's weak built-in rand function, making the state value predictable to a remote attacker. A successful attacker can hijack a victim user's OAuth2 session without any credentials, completing an account takeover via CSRF. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-9733 is available across every HarborGuard environment. Images containing affected versions of Mojolicious::Plugin::Web::Auth::OAuth2 (up to and including 0.17) are matched against ingested advisory data within minutes of publication, covering both upstream base images and custom-built images in customer registries and CI pipelines.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 9.1 (Critical) and applies per-environment compliance policy weighting to determine urgency and ownership. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a corrected release. In the meantime, customers with auto-remediation enabled will receive a notification and can apply available compensating controls through HarborGuard's remediation workflow.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the affected web service over the network to intercept or replay the predictable OAuth2 state parameter.

  • AuthenticationNot required

    No account or credentials are required; the attack is possible from an unauthenticated position against a victim who is actively initiating an OAuth2 login flow.

  • Victim interactionRequired

    The attack requires a victim user to initiate an OAuth2 authorization flow, which the attacker can then hijack by forging the predictable state value.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the attacker observes the HTTP Date header, as epoch time and Perl's rand output provide sufficient entropy to enumerate candidate state values quickly.

Blast Radius

  • Attacker binds a victim's OAuth2 authorization code to their own session, gaining full access to the victim's account within the application.
  • Reads any data accessible to the hijacked user account, including session tokens, personal information, and application-specific records.
  • Modifies application state and persisted data on behalf of the hijacked user, including profile changes, transactions, or any write operations the user is authorized to perform.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-9733, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment HAYAJO or CPANSec publishes a corrected release. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual intervention required. While waiting for an upstream patch, compensating controls worth considering include network-policy isolation to restrict which services can initiate OAuth2 flows, egress filtering to limit outbound authorization redirects to known endpoints, and overriding the state generator in the Mojolicious plugin constructor with a cryptographically secure random source (such as Bytes::Random::Secure) as a code-level workaround. HarborGuard will surface advisory status changes and re-score affected images as new information becomes available.

See how HarborGuard automates this
Affected packages
  • HAYAJO / Mojolicious::Plugin::Web::Auth::OAuth2
    ≤ 0.17
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References