CVE-2026-13410

Google · Dancer::Plugin::Auth::Google

Dancer::Plugin::Auth::Google fails to perform proper SSL certificate validation during authentication requests, potentially allowing man-in-the-middle attacks.

Executive summary

A high-severity improper certificate validation flaw in the Dancer::Plugin::Auth::Google library could allow unauthenticated attackers to intercept or manipulate authentication traffic.

Vulnerability

The vulnerability stems from CWE-295, improper certificate validation. When the plugin initiates HTTPS requests, it fails to verify the authenticity of the server, allowing an unauthenticated attacker positioned in the network path to conduct man-in-the-middle attacks.

Business impact

Successful exploitation could lead to the compromise of sensitive authentication tokens, enabling unauthorized access to protected resources. Given the CVSS score of 8.2, this vulnerability represents a significant risk to data confidentiality and integrity, potentially resulting in full account takeover for affected services.

Remediation

Immediate Action: Update the Dancer::Plugin::Auth::Google library to version 0.08 or later as directed by the vendor.

Proactive Monitoring: Review application logs for unusual HTTPS handshake failures or unexpected connection patterns originating from the plugin.

Compensating Controls: Ensure that all outbound traffic from the application environment is routed through secure, inspected proxies that enforce strict TLS certificate validation.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability presents a high risk to authentication security. Administrators should prioritize the update of this dependency immediately to prevent potential credential interception.