PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8612 OALDERS CVE debrief

WWW::Mechanize::Cached versions before 2.00 for Perl use a world-writable on-disk cache that deserializes cached HTTP responses via Storable::thaw, enabling local attackers to forge responses and potentially achieve code execution. The default Cache::FileCache backend creates directories under /tmp/FileCache with mode 0777 and no sticky bit, allowing any local user to modify cache entries. An attacker can replace a victim's cached response for a known URL with a maliciously crafted frozen HTTP::Response blob; when the victim's process next retrieves that URL, the forged bytes are passed to Storable::thaw. If the victim process has loaded classes with side-effectful STORABLE_thaw, DESTROY, or overload hooks, this can escalate to arbitrary code execution.

Vendor
OALDERS
Product
WWW::Mechanize::Cached
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-18
Advisory published
2026-05-15
Advisory updated
2026-05-18

Who should care

Organizations running multi-user Perl applications that depend on WWW::Mechanize::Cached for HTTP request caching, particularly those with untrusted local users or shared hosting environments where /tmp is accessible to multiple security principals.

Technical summary

The vulnerability stems from insecure default configuration: when no explicit cache backend is specified, WWW::Mechanize::Cached instantiates Cache::FileCache with default directory_umask of 000, creating cache directories with world-writable permissions (0777) under /tmp/FileCache. Cache entries are keyed by SHA-1 hash of the request and stored as Storable-serialized HTTP::Response objects. The deserialization via Storable::thaw is unsafe because it does not validate the cached data against the original source, and the world-writable permissions allow any local user to replace cache contents. The code execution vector depends on the victim process having loaded Perl classes with exploitable deserialization hooks (STORABLE_thaw, DESTROY, or overload methods), which can be triggered when the malicious blob is thawed.

Defensive priority

medium

Recommended defensive actions

  • Upgrade to WWW::Mechanize::Cached version 2.00 or later, which addresses the insecure cache permissions and deserialization behavior.
  • If immediate upgrade is not possible, configure an explicit cache backend with restrictive directory permissions (avoiding world-writable paths) and consider disabling caching for sensitive operations.
  • Audit systems for unauthorized modifications to /tmp/FileCache or equivalent cache directories used by WWW::Mechanize::Cached.
  • Review application code for classes with STORABLE_thaw, DESTROY, or overload hooks that could be exploited during deserialization.
  • Monitor for anomalous HTTP response content in applications using WWW::Mechanize::Cached, particularly for unexpected data types or structures.

Evidence notes

CVE published 2026-05-15; NVD entry modified 2026-05-18. Vendor fix released in version 2.00. Patch commit and pull request available via official GitHub repository.

Official resources

2026-05-15