Description
Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically,

* There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason.
* The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses.
* UUIDs are identifiers whose mere possession grants access, as per RFC 9562.
* The output of the built-in rand() function is predictable and unsuitable for security applications.
Published: 2026-02-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized session hijacking via predictable session IDs
Action: Immediate Patch
AI Analysis

Impact

Concierge::Sessions, a Perl module for generating session identifiers, exposes insecure IDs in releases 0.8.1 through 0.8.4. The generate_session_id routine first invokes the uuidgen command and, on failure, silently falls back to Perl’s rand() function. Neither mechanism provides cryptographic randomness: uuidgen without the --random switch generates time‑based UUIDs that embed the system clock, and Perl’s rand() is deterministic once seeded, enabling attackers to predict or brute‑force session identifiers that serve as full access tokens.

Affected Systems

The affected product is BVA’s Concierge::Sessions library versions older than 0.8.5, as listed by the CNA. No other vendors or products are cited, so the impact is limited to applications that depend on this module.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as a high‑severity remote vulnerability, while the EPSS score of less than 1% indicates that exploitation is expected to remain low at the time of analysis. Despite this, the lack of a warning when uuidgen fails and the use of a predictable fallback let attackers potentially generate legitimate session IDs, effectively bypassing authentication. The combination of a top‑tier severity and an exploitable session hijack scenario demands vigilant monitoring and prompt remediation.

Generated by OpenCVE AI on April 17, 2026 at 18:59 UTC.

Remediation

Vendor Solution

Upgrade to Concierge::Sessions v0.8.5 or later.

OpenCVE Recommended Actions

  • Upgrade Concierge::Sessions to v0.8.5 or later, which replaces insecure generation logic with a cryptographically secure source.
  • Verify that uuidgen is available and executed with the --random flag, or configure the module to use a secure random generator such as Crypt::URandom, to eliminate reliance on time‑based or deterministic values.
  • Disable or enforce error handling on uuidgen failures by patching generate_session_id so that the process aborts instead of falling back to rand(); this serves as a temporary protection until the library upgrade can be deployed.

Generated by OpenCVE AI on April 17, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Bva concierge\
CPEs cpe:2.3:a:bva:concierge\:\:sessions:*:*:*:*:*:perl:*:*
Vendors & Products Bva concierge\

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bva
Bva concierge::sessions
Vendors & Products Bva
Bva concierge::sessions

Mon, 16 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications.
Title Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids
Weaknesses CWE-338
CWE-340
References

Subscriptions

Bva Concierge::sessions Concierge\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-02-17T14:45:00.408Z

Reserved: 2026-02-12T23:47:52.767Z

Link: CVE-2026-2439

cve-icon Vulnrichment

Updated: 2026-02-17T14:44:55.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-16T22:22:41.470

Modified: 2026-03-10T18:12:46.927

Link: CVE-2026-2439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:00:11Z

Weaknesses