OAuth 2.0 State Parameter Vulnerability in Dancer2::Plugin::Auth::OAuth::Provider for Perl
CVE-2026-12746
What is CVE-2026-12746?
The Dancer2::Plugin::Auth::OAuth::Provider plugin for Perl lacks support for the OAuth 2.0 state parameter in versions prior to 0.23. This deficiency allows an attacker to exploit the authentication_url method, which redirects authorization requests without a state value. Consequently, the callback method does not verify the integrity of the session that initiated the request. As a result, attackers can manipulate OAuth 2.0 flows, leading to potential cross-site request forgery (CSRF) attacks. If a victim's session is compromised through this method, an attacker may gain unauthorized access to the victim's account by linking their own provider credentials, thereby jeopardizing user data and privacy.
Affected Version(s)
Dancer2::Plugin::Auth::OAuth::Provider 0 < 0.23
