PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13410 GARU CVE debrief

CVE-2026-13410 was reported in Dancer::Plugin::Auth::Google versions through 0.07 for Perl. The default user agent is initialized with SSL_verify_mode explicitly disabled. This CVE record was published on 2026-07-17T13:17:56.663Z and has not been modified since then. The vulnerability allows an attacker with network man-in-the-middle capability to intercept the OAuth2 token exchange and userinfo fetch, return a forged access_token and user profile, and be logged in to the Dancer application as any Google user. Users should be aware of the potential for man-in-the-middle attacks due to disabled TLS verification.

Vendor
GARU
Product
Dancer::Plugin::Auth::Google
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Dancer::Plugin::Auth::Google versions through 0.07 for Perl should be aware of the potential for man-in-the-middle attacks due to disabled TLS verification. This affects operators who manage Dancer applications, platform administrators responsible for security configurations, vulnerability management teams, and security teams monitoring for potential threats. They should review system configurations, assess potential impact, and plan for updates or mitigations.

Technical summary

The Dancer::Plugin::Auth::Google module for Perl has a security issue due to TLS verification being disabled by default. This is achieved by explicitly disabling SSL_verify_mode in the default user agent initialization. An attacker with network man-in-the-middle capability between the Dancer application and googleapis.com can intercept the OAuth2 token exchange and userinfo fetch. They can return a forged access_token and user profile, allowing them to be logged in to the Dancer application as any Google user. This issue requires immediate attention to prevent potential security breaches.

Defensive priority

High priority should be given to updating Dancer::Plugin::Auth::Google to a version that enables TLS verification. Implementing proper TLS verification for user agent initialization and monitoring for potential man-in-the-middle attacks are also crucial. Reviewing and updating network security configurations will help prevent similar vulnerabilities in the future.

Recommended defensive actions

  • Update Dancer::Plugin::Auth::Google to a version that enables TLS verification.
  • Implement proper TLS verification for user agent initialization.
  • Monitor for potential man-in-the-middle attacks.
  • Review and update network security configurations.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. Additional details can be found in the source references, including a GitHub pull request and Metacpan documentation. Evidence limits suggest that further verification is needed to confirm affected deployments and assess potential impact. Defenders should verify system configurations, review network security settings, and monitor for potential man-in-the-middle attacks.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T13:17:56.663Z and has not been modified since then.