CVE-2026-13410
Deferred Deferred - Pending Action

OAuth2 Token Forgery in Dancer::Plugin::Auth::Google

Vulnerability report for CVE-2026-13410, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: CPANSec

Description

Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled. The default user agent is initialised with SSL_verify_mode explicitly disabled. An attacker with network man-in-the-middle (MITM) capability between the Dancer application and googleapis.com can intercept the OAuth2 token exchange and userinfo fetch, return a forged access_token and user profile, and be logged in to the Dancer application as any Google user.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
garu dancer_plugin_auth_google 0.07

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Dancer::Plugin::Auth::Google versions through 0.07 for Perl. The plugin disables TLS verification by default, allowing attackers to intercept OAuth2 token exchanges and userinfo requests between the Dancer application and googleapis.com. This can lead to forged access tokens and user profiles, enabling unauthorized login as any Google user.

Detection Guidance

Check Perl applications using Dancer::Plugin::Auth::Google versions through 0.07. Inspect code for SSL_verify_mode set to SSL_VERIFY_NONE(). Use commands like grep -r 'SSL_VERIFY_NONE' /path/to/perl/modules or perl -MDancer::Plugin::Auth::Google -e 'print $Dancer::Plugin::Auth::Google::VERSION' to verify versions.

Impact Analysis

If you use a vulnerable version of Dancer::Plugin::Auth::Google, an attacker with network access could impersonate any Google user in your application. This could lead to unauthorized access to user data, privilege escalation, or data breaches depending on the application's functionality.

Compliance Impact

This vulnerability could violate compliance requirements that mandate secure authentication and data protection, such as GDPR's encryption standards or HIPAA's safeguards for protected health information. Unauthorized access risks data breaches, leading to potential legal and regulatory penalties.

Mitigation Strategies

Update Dancer::Plugin::Auth::Google to a patched version where SSL_verify_mode is set to SSL_VERIFY_PEER(). If no patch is available, manually modify the module's source code to enable SSL verification as shown in the patch from Resource 2.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13410. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart