CVE-2026-5091
Timing Attack Vulnerability in Catalyst::Plugin::Authentication
Publication date: 2026-05-21
Last updated on: 2026-05-22
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| catalyst | plugin | to 0.10024 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform timing attacks to infer sensitive information such as hashes or passwords. By exploiting timing discrepancies during authentication comparisons, an attacker could potentially gain unauthorized access or compromise user credentials.
Can you explain this vulnerability to me?
The vulnerability exists in Catalyst::Plugin::Authentication versions through 0.10024 for Perl. It is susceptible to timing attacks because these versions use Perl's built-in eq comparison. Differences in the time it takes to compare values can be exploited to guess the underlying hash or password.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Catalyst::Plugin::Authentication allows timing attacks that could enable attackers to guess passwords or underlying hashes. Such unauthorized access risks compromising sensitive data.
This kind of security weakness can impact compliance with standards and regulations like GDPR and HIPAA, which require adequate protection of personal and sensitive information against unauthorized access.
By allowing attackers to infer passwords through timing discrepancies, the vulnerability undermines the confidentiality and integrity of authentication mechanisms, potentially leading to data breaches that violate these regulations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-5091 vulnerability, you should upgrade Catalyst::Plugin::Authentication to version 0.10026 or later.
The vulnerability is caused by the use of Perl's built-in string comparison (eq) which is vulnerable to timing attacks. The fix replaces these comparisons with a constant-time comparison algorithm to prevent timing information leakage.