CVE-2026-12746
Received Received - Intake

Cross-Site Request Forgery in Dancer2::Plugin::Auth::OAuth::Provider

Vulnerability report for CVE-2026-12746, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: CPANSec

Description

Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter. The authentication_url method builds the provider authorization redirect without issuing a state value, and the callback method exchanges the callback code and registers the resulting token into the session without verifying that the callback corresponds to an authorization request this session initiated. Any application that uses this plugin for OAuth 2.0 login is exposed to login cross-site request forgery: because the callback is not bound to the session that began the flow, an attacker who starts an authorization with their own provider account can deliver the resulting callback to a victim, causing the victim's session to complete the attacker's authorization and associating the attacker's provider identity and access token with that session. Where the application persists this as an account link, the attacker may retain access to the victim's account through their own provider credentials.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl, where the OAuth 2.0 state parameter is not supported.

The plugin's authentication_url method does not issue a state value, and the callback method registers the token into the session without verifying that the callback corresponds to the authorization request initiated by that session.

As a result, an attacker can exploit this by initiating an authorization with their own provider account and then delivering the callback to a victim. This causes the victim's session to complete the attacker's authorization, associating the attacker's provider identity and access token with the victim's session.

If the application links this as an account, the attacker may retain access to the victim's account through their own provider credentials.

Impact Analysis

This vulnerability can lead to login cross-site request forgery (CSRF), allowing an attacker to hijack a victim's session by associating the attacker's OAuth provider identity and access token with the victim's session.

Consequently, the attacker may gain unauthorized access to the victim's account if the application persists this association as an account link.

Detection Guidance

This vulnerability is related to the absence of the OAuth 2.0 state parameter in the Dancer2::Plugin::Auth::OAuth::Provider module versions before 0.23. Detection involves verifying whether the OAuth 2.0 authentication flow includes a state token to prevent CSRF attacks.

You can check the version of the Dancer2::Plugin::Auth::OAuth module installed on your system to determine if it is vulnerable (versions before 0.23 are affected).

  • Use Perl commands or scripts to query the installed module version, for example: `perl -MDancer2::Plugin::Auth::OAuth -e 'print $Dancer2::Plugin::Auth::OAuth::VERSION'`
  • Inspect OAuth 2.0 authorization URLs generated by your application to see if they include a state parameter.
  • Monitor OAuth callback requests to verify if the state parameter is present and validated against the session.
Mitigation Strategies

The primary mitigation is to upgrade the Dancer2::Plugin::Auth::OAuth::Provider module to version 0.23 or later, which implements state token generation and validation to prevent CSRF attacks.

This update introduces a cryptographically secure random state token that is generated during OAuth2 authentication requests, stored in the user's session, and validated upon callback.

If immediate upgrade is not possible, consider implementing custom state parameter handling in your OAuth flow to ensure callbacks are bound to the session that initiated the authorization.

Compliance Impact

The vulnerability in Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 allows login cross-site request forgery (CSRF), which can lead to unauthorized access to user accounts by associating an attacker's provider identity with a victim's session.

This security flaw undermines the integrity and confidentiality of user authentication sessions, potentially violating security best practices required by standards such as GDPR and HIPAA that mandate protection of personal and sensitive data.

Specifically, failure to properly validate OAuth 2.0 state parameters can lead to unauthorized access and session hijacking, which may result in unauthorized disclosure or modification of personal data, thereby impacting compliance with data protection regulations.

The fix introduced in version 0.23 implements state token generation and validation as a defense against CSRF, aligning the plugin with OAuth 2.0 security recommendations (RFC 6749 Β§10.12) and helping applications using this plugin to better meet compliance requirements related to secure authentication.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12746. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart