OAuth 2.0 Middleware Vulnerability in Plack by Perl
CVE-2026-12740

Currently unrated

Key Information:

Vendor

Cornelius

Vendor
CVE Published:
4 July 2026

What is CVE-2026-12740?

The Plack::Middleware::OAuth for Perl versions up to 0.10 do not implement the OAuth 2.0 state parameter, which is crucial for mitigating cross-site request forgery (CSRF) risks during authentication processes. In scenarios where this middleware is employed, the absence of a state value allows attackers to potentially hijack user sessions. When an attacker initiates an authorization request, they can direct the victim's session to complete the authorization with the attacker’s credentials, thereby linking the victim's account to the attacker's provider identity. This vulnerability poses severe risks for applications relying on this middleware for secure OAuth 2.0 login functionality.

Affected Version(s)

Plack::Middleware::OAuth 0 <= 0.10

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.