Insecure Default State Parameter in Mojolicious::Plugin::Web::Auth::OAuth2 for Perl
CVE-2026-9733

Currently unrated

Key Information:

Vendor

Hayajo

Status
Mojolicious::plugin::web::auth::oauth2
Vendor
CVE Published:
23 June 2026

What is CVE-2026-9733?

The Mojolicious::Plugin::Web::Auth::OAuth2 for Perl has an insecure default state parameter that can lead to session hijacking. When the state generator is not specified in the constructor, the module resorts to using a SHA-1 hash derived from low-entropy inputs, including timestamps and random values. This predictability opens a door for attackers to hijack user sessions through cross-site request forgery (CSRF), posing significant security risks for applications employing this authentication method.

Affected Version(s)

Mojolicious::Plugin::Web::Auth::OAuth2 0 <= 0.17

References

https://metacpan.org/release/HAYAJO/Mojolicious-Plugin-We...
https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
technical-description
https://security.metacpan.org/patches/M/Mojolicious-Plugi...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.