PatchSiren cyber security CVE debrief
CVE-2026-12746 BIAFRA CVE debrief
CVE-2026-12746 is a vulnerability in Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl. The plugin does not support the OAuth 2.0 state parameter, which allows an attacker to perform a login cross-site request forgery (CSRF) attack. An attacker can start an authorization with their own provider account and deliver the resulting callback to a victim, causing the victim's session to complete the attacker's authorization and associate the attacker's provider identity and access token with that session. This vulnerability can lead to unauthorized access to a victim's account if the application persists the attacker's provider credentials as an account link.
- Vendor
- BIAFRA
- Product
- Dancer2::Plugin::Auth::OAuth::Provider
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-04
- Original CVE updated
- 2026-07-04
- Advisory published
- 2026-07-04
- Advisory updated
- 2026-07-04
Who should care
Developers and administrators of applications using Dancer2::Plugin::Auth::OAuth::Provider for OAuth 2.0 login should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 0.23 or later of the plugin and implementing additional security measures to prevent CSRF attacks.
Technical summary
The authentication_url method in Dancer2::Plugin::Auth::OAuth::Provider builds the provider authorization redirect without issuing a state value. The callback method exchanges the callback code and registers the resulting token into the session without verifying that the callback corresponds to an authorization request this session initiated. This allows an attacker to perform a CSRF attack by delivering the callback to a victim, causing the victim's session to complete the attacker's authorization.
Defensive priority
High priority should be given to updating to version 0.23 or later of Dancer2::Plugin::Auth::OAuth::Provider. Additionally, applications should implement CSRF protection mechanisms, such as token-based validation, to prevent attacks.
Recommended defensive actions
- Update to version 0.23 or later of Dancer2::Plugin::Auth::OAuth::Provider
- Implement CSRF protection mechanisms, such as token-based validation
- Verify that the callback corresponds to an authorization request this session initiated
- Use a secure token to prevent CSRF attacks
- Monitor for suspicious activity and implement incident response plans
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, including its description, CVSS score, and references. The source item URL provides additional information on the vulnerability, including its status and references.
Official resources
-
CVE-2026-12746 CVE record
CVE.org
-
CVE-2026-12746 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
This article is AI-assisted and based on the supplied source corpus.