CVE-2026-9733: Perl Mojolicious OAuth2 Plugin Insecure Default State Parameter Enables Authorization Code Interception (CVSS 9.1)

nick

CVE-2026-9733: Perl Mojolicious OAuth2 Plugin Insecure Default State Parameter Enables Authorization Code Interception (CVSS 9.1)

by

CVE: CVE-2026-9733 | CVSS 3.1: 9.1 (CRITICAL) | CWE: CWE-340 (Generation of Predictable Numbers or Identifiers) | Vendor: Mojolicious | Product: Mojolicious::Plugin::Web::Auth::OAuth2 | Affected versions: ≤ 0.17

What Is the Vulnerability

CVE-2026-9733 is a critical vulnerability in the Mojolicious OAuth2 plugin for Perl that enables OAuth2 authorization code interception attacks. The plugin’s default state parameter generation is cryptographically weak, using a SHA-1 hash of predictable sources — most critically, the current epoch time, which is also leaked to the client via the nonce parameter.

The OAuth2 state parameter is a critical CSRF defense defined in RFC 6749 Section 10.12. It binds the authorization request to the user’s session, ensuring that the authorization code returned by the OAuth2 provider cannot be intercepted and used by an attacker. When the state parameter is predictable, an attacker can precompute the expected state value and craft a malicious authorization request.

The attack works as follows: the attacker initiates an OAuth2 flow with the targeted provider (Google, GitHub, Facebook, etc.), obtains a valid authorization URL with a predictable state, and tricks the victim into visiting that URL. Because the state is predictable, the attacker can compute it in advance. When the victim completes authentication and the authorization code is returned, the attacker can replay the expected state value and bind the victim’s authorization code to the attacker’s own session — gaining access to the victim’s protected resources on the OAuth2 provider.

All deployments using the plugin’s default configuration are vulnerable. This potentially affects any Perl web application built on Mojolicious that implements OAuth2-based authentication (social login via Google, GitHub, Facebook, or any OAuth2 provider) using this plugin.

Versions Affected

  • Mojolicious::Plugin::Web::Auth::OAuth2 versions 0.17 and earlier
  • Any deployment using the plugin’s default state generation configuration

Exploited?

There is no known active exploitation of CVE-2026-9733 in the wild at this time. However, the attack is well-understood and the OAuth2 authorization code interception pattern is a known threat vector. Organizations using the vulnerable plugin should patch immediately.

Fix

The fix involves replacing the insecure default state generator with a cryptographically secure implementation. Users of the plugin should:

  • Upgrade to a patched version of Mojolicious::Plugin::Web::Auth::OAuth2 (version > 0.17) once available.
  • If upgrading is not immediately possible, explicitly configure a cryptographically secure state generator rather than relying on the plugin’s default. Use a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) — in Perl, this can be achieved with Crypt::URandom or Math::Random::Secure to generate a high-entropy random state value (at least 128 bits of entropy recommended).
  • Verify that the state parameter is properly validated on the callback endpoint — the returned state must exactly match the state stored in the user’s session.

Recommendations

  • Inventory all Perl/Mojolicious applications in your environment that implement OAuth2 authentication flows.
  • Identify whether they use Mojolicious::Plugin::Web::Auth::OAuth2 and, if so, which version.
  • Apply the vendor patch or implement a custom cryptographically secure state generator immediately.
  • Review OAuth2 callback handlers to ensure proper state validation is in place — reject any callback where the state parameter does not match the session-stored value.
  • Consider implementing additional OAuth2 security measures such as PKCE (Proof Key for Code Exchange, RFC 7636) where supported by the OAuth2 provider, as an additional layer of defense against authorization code interception.
  • Audit session management to ensure sessions cannot be hijacked through other vectors that would compound this vulnerability.

References

Part of the Vulnerability Intelligence series on threat-modeling.com. See the June 24, 2026 Vulnerability Intelligence Report for broader context.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!