CVE-2026-46473 TCHATZI CVE debrief

Who should care

Administrators and developers using Authen::TOTP before 0.1.1, especially anyone relying on generated secrets for authentication workflows. Security teams should treat this as a credential-strength issue affecting OTP setup and provisioning.

Technical summary

The NVD record classifies the issue as CVE-2026-46473 with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and CWE-331. The vulnerability stems from generating secrets using Perl rand instead of a cryptographically secure source. The supplied references include a patch commit and the Authen::TOTP 0.1.1 changes page, indicating remediation in that release.

Defensive priority

High. Weak secret generation can undermine the security of newly provisioned TOTP secrets, so affected versions should be updated promptly and any secrets created by vulnerable versions should be treated as potentially compromised or low-entropy.

Recommended defensive actions

• Upgrade Authen::TOTP to version 0.1.1 or later.
• Audit any deployments that generated TOTP secrets before the fix and re-issue secrets where appropriate.
• Review application code and packaging to confirm no older Authen::TOTP release remains in use.
• Validate that secret generation uses a cryptographically secure random source, not Perl rand.
• Check authentication logs and user support workflows for any indication of weak or reused provisioning secrets.

Evidence notes

This debrief is based only on the supplied NVD CVE record and the referenced upstream materials. The NVD metadata states the weakness as CWE-331 and describes the issue as secrets generated using Perl’s built-in rand function. The referenced upstream materials are a patch commit and the 0.1.1 changes entry, which together support the remediation version. Vendor/product naming in the supplied corpus is inconsistent, so the technical finding is attributed to Authen::TOTP as described in the CVE text and references.

Official resources