CVE-2026-12740
Received Received - Intake

Cross-Site Request Forgery in Plack::Middleware::OAuth

Vulnerability report for CVE-2026-12740, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: CPANSec

Description

Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter. RequestTokenV2 builds the provider authorization redirect without issuing a state value, and AccessTokenV2 exchanges the callback code and registers the resulting token into the session (register_session) without verifying that the callback corresponds to an authorization request this session initiated. Any application that uses this middleware for OAuth 2.0 login is exposed to login cross-site request forgery: because the callback is not bound to the session that began the flow, an attacker who starts an authorization with their own provider account can deliver the resulting callback to a victim, causing the victim's session to complete the attacker's authorization and associating the attacker's provider identity and access token with that session. Where the application persists this as an account link, the attacker may retain access to the victim's account through their own provider credentials.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
plack middleware_oauth to 0.10 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Plack::Middleware::OAuth versions through 0.10 for Perl is that it does not support the OAuth 2.0 state parameter, which is a security feature designed to prevent cross-site request forgery (CSRF) attacks.

Specifically, the middleware builds the OAuth provider authorization redirect without issuing a state value, and when exchanging the callback code for an access token, it does not verify that the callback corresponds to the authorization request initiated by the same session.

This means an attacker can start an authorization with their own provider account and then deliver the resulting callback to a victim. The victim's session will complete the attacker's authorization, associating the attacker's provider identity and access token with the victim's session. If the application links this as an account, the attacker may gain access to the victim's account through their own credentials.

Impact Analysis

This vulnerability can lead to login cross-site request forgery (CSRF) attacks, where an attacker can hijack a victim's session by associating the attacker's OAuth provider identity and access token with the victim's session.

As a result, the attacker may gain unauthorized access to the victim's account if the application persists this association as an account link.

This compromises the security and integrity of user sessions and can lead to unauthorized access, data exposure, and potential misuse of the victim's account.

Detection Guidance

This vulnerability arises because Plack::Middleware::OAuth versions through 0.10 do not implement the OAuth 2.0 state parameter, which is used to prevent login cross-site request forgery (CSRF). Detection involves verifying whether the OAuth 2.0 authorization requests and callbacks include and validate the state parameter.

To detect this on your system, you can monitor OAuth authorization flows to check if the state parameter is present in the authorization request URL and if it is verified upon callback.

Suggested commands include capturing and inspecting HTTP traffic related to OAuth authorization requests and callbacks, for example using tools like tcpdump or tshark:

  • tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep 'state='
  • tshark -Y 'http.request.uri contains "state="' -T fields -e http.request.uri

If the state parameter is missing in the authorization requests or not verified in the callback handling, the system is vulnerable.

Mitigation Strategies

To mitigate this vulnerability, update Plack::Middleware::OAuth to a version that includes support for the OAuth 2.0 state parameter, such as the patched version 0.10 with the fix described in the patch.

The fix involves generating a cryptographically secure random state token during the authorization request, storing it in the session, and verifying it upon callback to prevent CSRF attacks.

Additional mitigation steps include:

  • Apply the patch available at https://security.metacpan.org/patches/P/Plack-Middleware-OAuth/0.10/CVE-2026-12740-r1.patch which implements the state parameter support.
  • Ensure your application properly handles and verifies the OAuth 2.0 state parameter in the authorization flow.
  • Upgrade dependencies such as Plack::Middleware::Session to at least version 0.35 and include Crypt::SysRandom as required by the patch.
Compliance Impact

This vulnerability in Plack::Middleware::OAuth versions through 0.10 allows login cross-site request forgery (CSRF) attacks by not supporting the OAuth 2.0 state parameter, which can lead to unauthorized account linking and access.

Such unauthorized access and session hijacking risks can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and secure authentication mechanisms to prevent unauthorized access.

Because the vulnerability allows an attacker to associate their credentials with a victim's session, it may lead to data breaches or unauthorized data access, potentially violating data protection and privacy requirements.

Mitigating this vulnerability by implementing OAuth 2.0 state parameter support, as recommended by RFC 6749 section 10.12, helps align with security best practices necessary for regulatory compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart