PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12746 BIAFRA CVE debrief

CVE-2026-12746 is a vulnerability in Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl. The plugin does not support the OAuth 2.0 state parameter, which allows an attacker to perform a login cross-site request forgery (CSRF) attack. An attacker can start an authorization with their own provider account and deliver the resulting callback to a victim, causing the victim's session to complete the attacker's authorization and associate the attacker's provider identity and access token with that session. This vulnerability can lead to unauthorized access to a victim's account if the application persists the attacker's provider credentials as an account link.

Vendor
BIAFRA
Product
Dancer2::Plugin::Auth::OAuth::Provider
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-04
Original CVE updated
2026-07-04
Advisory published
2026-07-04
Advisory updated
2026-07-04

Who should care

Developers and administrators of applications using Dancer2::Plugin::Auth::OAuth::Provider for OAuth 2.0 login should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 0.23 or later of the plugin and implementing additional security measures to prevent CSRF attacks.

Technical summary

The authentication_url method in Dancer2::Plugin::Auth::OAuth::Provider builds the provider authorization redirect without issuing a state value. The callback method exchanges the callback code and registers the resulting token into the session without verifying that the callback corresponds to an authorization request this session initiated. This allows an attacker to perform a CSRF attack by delivering the callback to a victim, causing the victim's session to complete the attacker's authorization.

Defensive priority

High priority should be given to updating to version 0.23 or later of Dancer2::Plugin::Auth::OAuth::Provider. Additionally, applications should implement CSRF protection mechanisms, such as token-based validation, to prevent attacks.

Recommended defensive actions

  • Update to version 0.23 or later of Dancer2::Plugin::Auth::OAuth::Provider
  • Implement CSRF protection mechanisms, such as token-based validation
  • Verify that the callback corresponds to an authorization request this session initiated
  • Use a secure token to prevent CSRF attacks
  • Monitor for suspicious activity and implement incident response plans

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its description, CVSS score, and references. The source item URL provides additional information on the vulnerability, including its status and references.

Official resources

This article is AI-assisted and based on the supplied source corpus.