CVE-2026-46473: Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand

CVE-2026-46473: Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand Robert Rothenberg 21 May 2026 18:55 UTC

========================================================================
CVE-2026-46473                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-46473
   Distribution:  Authen-TOTP
       Versions:  before 0.1.1

       MetaCPAN:  https://metacpan.org/dist/Authen-TOTP
       VCS Repo:  https://github.com/tchatzi/Authen-TOTP

Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand

Description
-----------
Authen::TOTP versions before 0.1.1 for Perl generate secrets using
rand.

Secrets were generated using Perl's built-in rand function, which is
predictable and unsuitable for security usage.

Problem types
-------------
- CWE-331 Insufficient Entropy

Solutions
---------
Upgrade to version 0.1.1 or later.

References
----------
https://metacpan.org/release/TCHATZI/Authen-TOTP-0.1.1/changes
https://github.com/tchatzi/Authen-TOTP/commit/d04f30cc6538d77fc6b6d550da450cf3017b8561.patch