Description
Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand.

Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
Published: 2026-05-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Authen::TOTP occurs because the Perl library generates one‑time‑password secrets using the non‑cryptographically secure rand function. This predictability allows an attacker who can infer the internal random state to calculate or guess the secret, thereby forging one‑time passwords and compromising authentication integrity.

Affected Systems

All installations of Authen::TOTP prior to version 0.1.1 are affected. The vendor TCHATZI released 0.1.1 which switches to a proper cryptographically secure random source, eliminating the predictability.

Risk and Exploitability

The CVE description does not specify a precise attack vector, but it is inferred that an attacker would need some level of access to the system running the vulnerable library to exploit the weakness. No network or remote access requirements are stated. EPSS is not available and the vulnerability is not listed in KEV, yet the severity on authentication integrity suggests a high impact, as reflected by a CVSS score of 7.5. Systems that rely on Authen::TOTP for user authentication should consider the risk significant and act accordingly.

Generated by OpenCVE AI on May 21, 2026 at 21:21 UTC.

Remediation

Vendor Solution

Upgrade to version 0.1.1 or later.

OpenCVE Recommended Actions

  • Upgrade to Authen::TOTP version 0.1.1 or later, which uses a cryptographically secure random source.
  • Regenerate any existing OTP secrets that were created with the vulnerable library and rotate them in all services and users.
  • Audit your deployment for other scripts or libraries that rely on Perl's rand for cryptographic material and replace them with a secure RNG such as Crypt::Secure::Random.

Generated by OpenCVE AI on May 21, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 22:30:00 +0000

Type Values Removed Values Added
References

Thu, 21 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
Title Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand
Weaknesses CWE-331
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-21T21:31:45.691Z

Reserved: 2026-05-14T17:55:07.623Z

Link: CVE-2026-46473

cve-icon Vulnrichment

Updated: 2026-05-21T21:31:45.691Z

cve-icon NVD

Status : Received

Published: 2026-05-21T19:16:53.510

Modified: 2026-05-21T22:16:48.157

Link: CVE-2026-46473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T21:30:19Z

Weaknesses