CVE-2026-8450 OALDERS CVE debrief

Who should care

Organizations running Perl-based HTTP servers using HTTP::Daemon versions prior to 6.17, particularly those exposing send_file() functionality to user-controlled input paths. This includes legacy web applications, embedded systems, and development environments using the libwww-perl ecosystem.

Technical summary

The vulnerability exists in HTTP::Daemon's send_file() function, which passes its string argument directly to Perl's two-argument open(). This form interprets magic prefixes: pipe prefixes ('| cmd', 'cmd |') execute commands and can leak output into HTTP responses; write-mode prefixes ('> path', '>> path') create or truncate files. Attackers with control over the filename parameter can achieve remote code execution at the daemon process UID, information disclosure through response body injection, or arbitrary file write operations. The fix in version 6.17 eliminates this unsafe open() usage.

Defensive priority

critical

Recommended defensive actions

• Upgrade HTTP::Daemon to version 6.17 or later
• Audit application code for any direct or indirect calls to send_file() with user-controlled input
• Implement input validation and sanitization for all file paths passed to HTTP::Daemon methods
• Consider using three-argument open() or Path::Tiny for file operations in custom Perl HTTP server implementations
• Review access logs for suspicious requests containing pipe characters or redirection operators in file path parameters
• Deploy Web Application Firewall (WAF) rules to detect and block requests with open() magic prefixes in file path parameters

Evidence notes

CVE published 2026-05-27. Vendor evidence from Metacpan release metadata identifies OALDERS as release maintainer. Patch commit and pull request #89 address the vulnerability. CWE-73 (External Control of File Name or Path) and CWE-78 (OS Command Injection) assigned.

Official resources