OAuth 2.0 Middleware Vulnerability in Plack by Perl
CVE-2026-12740
Currently unrated
What is CVE-2026-12740?
The Plack::Middleware::OAuth for Perl versions up to 0.10 do not implement the OAuth 2.0 state parameter, which is crucial for mitigating cross-site request forgery (CSRF) risks during authentication processes. In scenarios where this middleware is employed, the absence of a state value allows attackers to potentially hijack user sessions. When an attacker initiates an authorization request, they can direct the victim's session to complete the authorization with the attacker’s credentials, thereby linking the victim's account to the attacker's provider identity. This vulnerability poses severe risks for applications relying on this middleware for secure OAuth 2.0 login functionality.
Affected Version(s)
Plack::Middleware::OAuth 0 <= 0.10
