Description
Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter.

RequestTokenV2 builds the provider authorization redirect without issuing a state value, and AccessTokenV2 exchanges the callback code and registers the resulting token into the session (register_session) without verifying that the callback corresponds to an authorization request this session initiated.

Any application that uses this middleware for OAuth 2.0 login is exposed to login cross-site request forgery: because the callback is not bound to the session that began the flow, an attacker who starts an authorization with their own provider account can deliver the resulting callback to a victim, causing the victim's session to complete the attacker's authorization and associating the attacker's provider identity and access token with that session. Where the application persists this as an account link, the attacker may retain access to the victim's account through their own provider credentials.
Published: 2026-07-04
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Plack::Middleware::OAuth versions up through 0.10 omit support for the OAuth 2.0 state parameter, and the RequestTokenV2 routine builds the provider authorization redirect without issuing a state value. The AccessTokenV2 routine accepts the callback code and registers the resulting token into the session (register_session) without verifying that the callback originates from an authorization request that this session initiated. This flaw allows an attacker to perform login cross‑site request forgery. If an uses this middleware for OAuth 2.0 authentication, the attacker can start an authorization flow with a malicious provider account and deliver the callback to a victim’s browser, causing the victim’s session to complete the attacker’s authorization and associate the victim’s session with the attacker’s provider identity and access token. When the application persists that link, the attacker may retain long‑term access to the victim’s account using their own provider credentials.

Affected Systems

The vulnerability affects the Perl module Plack::Middleware::OAuth, specifically version 0.10 and all earlier releases. Any Perl application that incorporates this module for OAuth 2.0 authentication is susceptible if it uses those versions.

Risk and Exploitability

No CVSS score is available and the EPSS score is not reported, but the flaw permits any authenticated OAuth flow without state validation, resulting in a high impact. The flaw is not listed in the CISA KEV catalog and there is no known public exploitation. The likely attack vector is an attacker initiating an OAuth authorization with a malicious provider account and then delivering the callback to a victim’s browser, thereby hijacking the victim’s session. While the vulnerability does not allow remote code execution, it enables an attacker to gain persistent access to a user’s linked account through the victim’s session.

Generated by OpenCVE AI on July 5, 2026 at 15:52 UTC.

Remediation

Vendor Workaround

Use the latest version from the git repository, with the patch applied.


OpenCVE Recommended Actions

  • Upgrade to the latest version of Plack::Middleware::OAuth from the git repository, where the patch for state parameter handling has been applied.
  • If an upgrade is not immediately possible, apply the patch available at https://security.metacpan.org/patches/P/Plack-Middleware-OAuth/0.10/CVE-2026-12740-r1.patch to your installation.
  • Verify that OAuth callbacks include a state value that matches the initiating session and reject any callback that does not match to prevent session hijacking.

Generated by OpenCVE AI on July 5, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 18:15:00 +0000

Type Values Removed Values Added
Description Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter. RequestTokenV2 builds the provider authorization redirect without issuing a state value, and AccessTokenV2 exchanges the callback code and registers the resulting token into the session (register_session) without verifying that the callback corresponds to an authorization request this session initiated. Any application that uses this middleware for OAuth 2.0 login is exposed to login cross-site request forgery: because the callback is not bound to the session that began the flow, an attacker who starts an authorization with their own provider account can deliver the resulting callback to a victim, causing the victim's session to complete the attacker's authorization and associating the attacker's provider identity and access token with that session. Where the application persists this as an account link, the attacker may retain access to the victim's account through their own provider credentials.
Title Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter
Weaknesses CWE-352
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-07-04T19:29:05.133Z

Reserved: 2026-06-19T16:43:08.971Z

Link: CVE-2026-12740

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T16:00:06Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)