Description
Trog::TOTP versions before 1.006 for Perl generate secrets using rand.

Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
Published: 2026-05-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Trog::TOTP module, before version 1.006, creates TOTP shared secrets with Perl's built‑in rand function, which is not cryptographically secure and can be predicted by an attacker. This flaw means an adversary could potentially derive the secret used for time‑based one‑time passwords, allowing them to generate valid OTPs or impersonate a legitimate user. The weakness falls under CWE‑331 (Predictable Random Number Generation).

Affected Systems

All installations of the TEODESIAN Trog::TOTP Perl package with a version earlier than 1.006 are affected. Systems that employ this module for generating or storing OTP secrets, such as authentication services or multi‑factor configurations, are at risk if the old version is still in use.

Risk and Exploitability

The CVSS score is 7.5, indicating a high level of risk, and the EPSS score is <1%, suggesting a low probability of exploitation. This means no public exploitation data exists yet. However, because the secret generation uses an insecure random function, the potential for compromise remains high. The vulnerability is not listed in the CISA KEV catalog. An attacker who can observe a generated secret or has access to the randomisation process could predict future values, so the flaw is considered significant and warrants immediate rectification.

Generated by OpenCVE AI on May 18, 2026 at 16:22 UTC.

Remediation

Vendor Solution

Upgrade to version 1.006 or later.

OpenCVE Recommended Actions

  • Upgrade to Trog::TOTP version 1.006 or later.
  • Re‑generate all existing TOTP secrets after the upgrade.
  • Verify that no older Trog::TOTP versions remain on any deployment and replace any legacy secret‑generation logic that still uses rand.

Generated by OpenCVE AI on May 18, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Teodesian
Teodesian trog::totp
Vendors & Products Teodesian
Teodesian trog::totp

Fri, 15 May 2026 22:30:00 +0000

Type Values Removed Values Added
References

Fri, 15 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Trog::TOTP versions before 1.006 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
Title Trog::TOTP versions before 1.006 for Perl generate secrets using rand
Weaknesses CWE-331
References

Subscriptions

Teodesian Trog::totp
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-18T15:01:38.271Z

Reserved: 2026-05-14T17:55:07.623Z

Link: CVE-2026-46474

cve-icon Vulnrichment

Updated: 2026-05-15T21:23:28.941Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T18:16:26.053

Modified: 2026-05-18T17:40:45.343

Link: CVE-2026-46474

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T16:30:05Z

Weaknesses