CVE-2026-46473

Vulnerability

Overview Authen::TOTP before version 0.1.1 for Perl used Perl's built-in rand() function to generate TOTP secrets [1]. The rand() function is a predictable pseudorandom number generator (PRNG) that is not suitable for security-sensitive purposes like generating cryptographic secrets. The vulnerability was identified and reported by rrwo@cpansec.org [1].

Exploitation and

Attack Surface The attack is possible without authentication because the weak rand() seed and algorithm can be predicted if an attacker can observe or infer the state of the Perl process. To exploit this, an attacker would need to either run code on the same server or have access to the process state to predict the secret. The generated secret is used as the seed for TOTP codes, so an attacker able to predict the secret can generate valid TOTP codes for any user. No network or user interaction is required beyond the ability to guess the secret [1][2].

Impact

If exploited, an attacker could predict TOTP secrets generated by the vulnerable module, allowing them to bypass two-factor authentication (2FA) for any service relying on Authen::TOTP for secret generation [1]. The impact is high because it undermines the security of any application using this module for 2FA.

Mitigation

The vulnerability is fixed in version 0.1.1, released 2026-05-18, by replacing rand() with Crypt::PRNG::random_string_from() [1][2]. Users should upgrade to version 0.1.1 or later and regenerate all existing TOTP secrets that were generated with the buggy version [2]. No workaround other than upgrading is available.