CVE-2026-13410
Google · Dancer::Plugin::Auth::Google
Dancer::Plugin::Auth::Google fails to perform proper SSL certificate validation during authentication requests, potentially allowing man-in-the-middle attacks.
Executive summary
A high-severity improper certificate validation flaw in the Dancer::Plugin::Auth::Google library could allow unauthenticated attackers to intercept or manipulate authentication traffic.
Vulnerability
The vulnerability stems from CWE-295, improper certificate validation. When the plugin initiates HTTPS requests, it fails to verify the authenticity of the server, allowing an unauthenticated attacker positioned in the network path to conduct man-in-the-middle attacks.
Business impact
Successful exploitation could lead to the compromise of sensitive authentication tokens, enabling unauthorized access to protected resources. Given the CVSS score of 8.2, this vulnerability represents a significant risk to data confidentiality and integrity, potentially resulting in full account takeover for affected services.
Remediation
Immediate Action: Update the Dancer::Plugin::Auth::Google library to version 0.08 or later as directed by the vendor.
Proactive Monitoring: Review application logs for unusual HTTPS handshake failures or unexpected connection patterns originating from the plugin.
Compensating Controls: Ensure that all outbound traffic from the application environment is routed through secure, inspected proxies that enforce strict TLS certificate validation.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability presents a high risk to authentication security. Administrators should prioritize the update of this dependency immediately to prevent potential credential interception.