CVE-2026-8612: CWE-732 Incorrect Permission Assignment for Critical Resource in OALDERS WWW::Mechanize::Cached
CVE-2026-8612 affects WWW::Mechanize::Cached versions before 2.00 for Perl, where cached HTTP responses are stored in a world-writable directory with insecure permissions. This allows a local attacker with write access to the cache directory to replace cached responses with attacker-controlled data. When the victim process retrieves the cached response, it deserializes the data using Storable::thaw, potentially triggering arbitrary code execution if certain Perl classes with side-effectful hooks are loaded. The vulnerability arises from incorrect permission assignment (CWE-732) and unsafe deserialization (CWE-502).
AI Analysis
Technical Summary
WWW::Mechanize::Cached versions prior to 2.00 use a default Cache::FileCache backend that creates cache directories under /tmp/FileCache with mode 0777 and no sticky bit, making them world-writable. Cache entries are named by sha1_hex of the request and deserialized via Storable::thaw. A local attacker with write access to the cache directory can replace a victim's cached HTTP response with a malicious frozen HTTP::Response object. Upon the victim's next cache hit, the deserialization process can invoke side-effectful STORABLE_thaw, DESTROY, or overload hooks in loaded classes, leading to arbitrary code execution. This vulnerability combines incorrect permission assignment (CWE-732) and unsafe deserialization (CWE-502).
Potential Impact
An attacker with local write access to the cache directory can cause victim processes using WWW::Mechanize::Cached to execute arbitrary code by injecting malicious serialized HTTP responses. This can lead to local response forgery and code execution with the privileges of the victim process. The CVSS score is 5.3 (medium severity), reflecting the requirement for local access and privileges.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict write permissions to the cache directory to trusted users only and avoid running WWW::Mechanize::Cached in environments where untrusted local users have write access to the cache directory. Consider configuring an explicit cache backend with secure permissions if supported.
CVE-2026-8612: CWE-732 Incorrect Permission Assignment for Critical Resource in OALDERS WWW::Mechanize::Cached
Description
CVE-2026-8612 affects WWW::Mechanize::Cached versions before 2.00 for Perl, where cached HTTP responses are stored in a world-writable directory with insecure permissions. This allows a local attacker with write access to the cache directory to replace cached responses with attacker-controlled data. When the victim process retrieves the cached response, it deserializes the data using Storable::thaw, potentially triggering arbitrary code execution if certain Perl classes with side-effectful hooks are loaded. The vulnerability arises from incorrect permission assignment (CWE-732) and unsafe deserialization (CWE-502).
CVSS v3.1
Score 5.3medium
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWW::Mechanize::Cached versions prior to 2.00 use a default Cache::FileCache backend that creates cache directories under /tmp/FileCache with mode 0777 and no sticky bit, making them world-writable. Cache entries are named by sha1_hex of the request and deserialized via Storable::thaw. A local attacker with write access to the cache directory can replace a victim's cached HTTP response with a malicious frozen HTTP::Response object. Upon the victim's next cache hit, the deserialization process can invoke side-effectful STORABLE_thaw, DESTROY, or overload hooks in loaded classes, leading to arbitrary code execution. This vulnerability combines incorrect permission assignment (CWE-732) and unsafe deserialization (CWE-502).
Potential Impact
An attacker with local write access to the cache directory can cause victim processes using WWW::Mechanize::Cached to execute arbitrary code by injecting malicious serialized HTTP responses. This can lead to local response forgery and code execution with the privileges of the victim process. The CVSS score is 5.3 (medium severity), reflecting the requirement for local access and privileges.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict write permissions to the cache directory to trusted users only and avoid running WWW::Mechanize::Cached in environments where untrusted local users have write access to the cache directory. Consider configuring an explicit cache backend with secure permissions if supported.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-14T16:30:23.954Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a06b46bec166c07b0d02a9c
Added to database: 5/15/2026, 5:51:39 AM
Last enriched: 5/22/2026, 3:37:28 PM
Last updated: 6/18/2026, 4:20:54 AM
Views: 83
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.