oss-security - CVE-2026-46473: Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <5e7fd02a-6893-4eaa-ac05-2a56a6926ca2@cpansec.org>
Date: Thu, 21 May 2026 19:55:00 +0100
From: Robert Rothenberg <rrwo@...nsec.org>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-46473: Authen::TOTP versions before 0.1.1 for Perl generate
 secrets using rand

========================================================================
CVE-2026-46473                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-46473
   Distribution:  Authen-TOTP
       Versions:  before 0.1.1

       MetaCPAN:  https://metacpan.org/dist/Authen-TOTP
       VCS Repo:  https://github.com/tchatzi/Authen-TOTP


Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand

Description
-----------
Authen::TOTP versions before 0.1.1 for Perl generate secrets using
rand.

Secrets were generated using Perl's built-in rand function, which is
predictable and unsuitable for security usage.

Problem types
-------------
- CWE-331 Insufficient Entropy

Solutions
---------
Upgrade to version 0.1.1 or later.


References
----------
https://metacpan.org/release/TCHATZI/Authen-TOTP-0.1.1/changes
https://github.com/tchatzi/Authen-TOTP/commit/d04f30cc6538d77fc6b6d550da450cf3017b8561.patch

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.