Description
Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce.

The default nonce was generated using an MD5 hash of the epoch time, which is predictable.
Published: 2026-06-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dancer2::Plugin::Auth::OAuth generates a nonce by hashing the current epoch time with MD5, producing a value that is fully predictable. Because the OAuth workflow treats this nonce as a security token, an attacker who can anticipate its value can replay authentication requests or forge legitimate sessions, effectively bypassing authentication controls. The weakness aligns with cryptographic algorithm specification errors, identified as CWE‑338.

Affected Systems

The vulnerability affects the Perl module Dancer2::Plugin::Auth::OAuth in any installation that uses a version earlier than 0.22. These versions are maintained by the BIAFRA vendor. The issue exists in all builds of the plugin that rely on the default nonce logic, regardless of the host application.

Risk and Exploitability

The CVSS score of 9.1 marks this flaw as critical, indicating a high potential for exploitation. The EPSS score of less than 1% suggests that, despite the severity, the actual exploitation likelihood is low at present, and the vulnerability is not catalogued in the CISA KEV list. Attackers would need to interact with an OAuth transaction involving the vulnerable plugin, and could exploit the predictable nonce to craft a request that the server accepts, thereby gaining unauthorized access.

Generated by OpenCVE AI on June 17, 2026 at 21:53 UTC.

Remediation

Vendor Solution

Upgrade to version 0.22 or later.

OpenCVE Recommended Actions

  • Upgrade Dancer2::Plugin::Auth::OAuth to version 0.22 or newer.
  • If an immediate upgrade cannot be performed, replace the default nonce generator with a cryptographically secure random source, such as a true random number generator or a secure hash of a non‑predictable value.
  • Implement server‑side validation to detect repeated nonce values and reject replayed OAuth requests, and monitor OAuth traffic for anomalous nonce use.

Generated by OpenCVE AI on June 17, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable.
Title Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce
Weaknesses CWE-338
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-16T16:05:26.967Z

Reserved: 2026-06-09T21:09:06.279Z

Link: CVE-2026-11832

cve-icon Vulnrichment

Updated: 2026-06-16T16:05:23.004Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T22:16:15.400

Modified: 2026-06-16T17:16:31.227

Link: CVE-2026-11832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T22:00:04Z

Weaknesses
  • CWE-338

    Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)