CVE-2026-11832

Description

Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable.

Metadata

CVE ID: CVE-2026-11832
State: PUBLISHED
Assigner: CPANSec
Reserved: 2026-06-09 21:09 UTC
Published: 2026-06-15 21:19 UTC
Last updated: 2026-06-15 21:19 UTC
Primary CWE: CWE-338
CWE-338 Use of Cryptographically Weak Pseudo-Random Number G…
Vendor / Product: BIAFRA / Dancer2::Plugin::Auth::OAuth
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (1)

Vendor	Product	Platform	Versions
BIAFRA	Dancer2::Plugin::Auth::OAuth	—	0 < 0.22

Weakness (CWE)

CWE	Source	Description
CWE-338	cna	CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

References (4)

https://metacpan.org/release/BIAFRA/Dancer2-Plugin-Auth-OAuth-0.22/changes
https://www.cve.org/CVERecord?id=CVE-2025-22376
https://datatracker.ietf.org/doc/html/rfc5849#section-3.3
https://datatracker.ietf.org/doc/html/rfc5849#section-4.9

Back to overview