CVE-2026-5091 JJNAPIORK CVE debrief

Who should care

Perl application teams using Catalyst::Plugin::Authentication, especially maintainers of login flows and password verification logic. Security teams should also review any deployment where the affected module version may still be in use.

Technical summary

The flaw is a comparison-timing issue: using eq for secret comparison can leak information through small differences in response time. The available record says versions through 0.10024 are affected, and that the issue could be used to guess the underlying hash or password. NVD classifies it as CWE-208.

Defensive priority

High

Recommended defensive actions

• Inventory Perl services that use Catalyst::Plugin::Authentication and confirm whether any instance is at or below 0.10024.
• Upgrade to a version that includes the upstream fix once validated against the project changelog and release notes.
• Review authentication code paths for constant-time secret comparison and other timing oracles.
• Add compensating controls such as rate limiting, monitoring, and lockout policies to reduce repeated measurement attempts.
• Validate login behavior for consistent failure handling and response timing where practical.

Evidence notes

This debrief is based on the supplied NVD record and its metadata: the CVE description states that versions through 0.10024 use Perl's built-in eq comparison and are susceptible to timing attacks, and the record maps the issue to CWE-208. The record also cites a GitHub patch and a MetaCPAN changelog, but the corpus does not provide their contents.

Official resources