CVE-2026-5091

NameCVE-2026-5091
DescriptionCatalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1137325

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcatalyst-plugin-authentication-perl (PTS)bullseye0.10023-3vulnerable
bookworm0.10023-4vulnerable
forky, sid, trixie0.10024-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcatalyst-plugin-authentication-perlsource(unstable)(unfixed)1137325

Notes

[trixie] - libcatalyst-plugin-authentication-perl <no-dsa> (Minor issue)
[bookworm] - libcatalyst-plugin-authentication-perl <no-dsa> (Minor issue)
[bullseye] - libcatalyst-plugin-authentication-perl <postponed> (Minor issue, side channel)
https://lists.security.metacpan.org/cve-announce/msg/40281889/
https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b0515f492257438cf07082acf1e10d06e8088a5e (v0.10_025)
Search for package or bug name: Reporting problems