CVE-2026-5091
Received Received - Intake
Timing Attack Vulnerability in Catalyst::Plugin::Authentication

Publication date: 2026-05-21

Last updated on: 2026-05-22

Assigner: CPANSec

Description
Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-22
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-5091
EUVD
EUVD-2026-31353
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
catalyst plugin to 0.10024 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow an attacker to perform timing attacks to infer sensitive information such as hashes or passwords. By exploiting timing discrepancies during authentication comparisons, an attacker could potentially gain unauthorized access or compromise user credentials.

Executive Summary

The vulnerability exists in Catalyst::Plugin::Authentication versions through 0.10024 for Perl. It is susceptible to timing attacks because these versions use Perl's built-in eq comparison. Differences in the time it takes to compare values can be exploited to guess the underlying hash or password.

Compliance Impact

The vulnerability in Catalyst::Plugin::Authentication allows timing attacks that could enable attackers to guess passwords or underlying hashes. Such unauthorized access risks compromising sensitive data.

This kind of security weakness can impact compliance with standards and regulations like GDPR and HIPAA, which require adequate protection of personal and sensitive information against unauthorized access.

By allowing attackers to infer passwords through timing discrepancies, the vulnerability undermines the confidentiality and integrity of authentication mechanisms, potentially leading to data breaches that violate these regulations.

Mitigation Strategies

To mitigate the CVE-2026-5091 vulnerability, you should upgrade Catalyst::Plugin::Authentication to version 0.10026 or later.

The vulnerability is caused by the use of Perl's built-in string comparison (eq) which is vulnerable to timing attacks. The fix replaces these comparisons with a constant-time comparison algorithm to prevent timing information leakage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5091. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart