CVE-2026-11832: Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce

CVE-2026-11832: Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce Robert Rothenberg 15 Jun 2026 21:22 UTC

========================================================================
CVE-2026-11832                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-11832
   Distribution:  Dancer2-Plugin-Auth-OAuth
       Versions:  before 0.22

       MetaCPAN: https://metacpan.org/dist/Dancer2-Plugin-Auth-OAuth
       VCS Repo: https://github.com/biafra/perl-Dancer2-Plugin-Auth-OAuth

Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a
predictable nonce

Description
-----------
Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a
predictable nonce.

The default nonce was generated using an MD5 hash of the epoch time,
which is predictable.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
   (PRNG)

Solutions
---------
Upgrade to version 0.22 or later.

References
----------
https://metacpan.org/release/BIAFRA/Dancer2-Plugin-Auth-OAuth-0.22/changes
https://www.cve.org/CVERecord?id=CVE-2025-22376
https://datatracker.ietf.org/doc/html/rfc5849#section-3.3
https://datatracker.ietf.org/doc/html/rfc5849#section-4.9