Description
Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure.

Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation.

The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header).

The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes.
Published: 2026-05-06
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache::Session::Generate::ModUniqueId generates session identifiers from the UNIQUE_ID environment variable, a flaw that corresponds to CWE-341, insecure random number generation, where the ID is composed of the client IP, process ID, epoch time, a counter, and a thread index, with no obfuscation. Because each element is predictable or can be guessed, an attacker who can observe or infer previously issued session IDs can construct future identifiers. When those session IDs are used for authentication or to grant access to restricted data, the vulnerability permits session hijacking, allowing an adversary to impersonate authenticated users.

Affected Systems

Affected systems include CHORNY’s Apache::Session::Generate::ModUniqueId module, with versions 1.54 through 1.94 identified as vulnerable. Any Perl application that relies on this module for session ID generation, especially if the IDs are used for security decisions, is at risk unless the module is replaced or the session strategy is changed.

Risk and Exploitability

The CVSS score of 9.1 indicates a severe flaw that can lead to significant compromise. This weakness is classified as CWE-341, insecure random number generation, which means the session IDs can be predicted based on observable information. The EPSS score of 0.00029 indicates a very low but non‑zero probability of exploitation; however, because session IDs may be used for authentication, the risk remains pronounced. The vulnerability is not listed in the CISA KEV catalog, yet its fundamental weakness in random number generation exposes a critical security gap. Attackers would typically target the web application from a network location, leveraging predictable session IDs to hijack user sessions and access protected resources.

Generated by OpenCVE AI on May 11, 2026 at 18:29 UTC.

Remediation

Vendor Solution

In cases where the session id is used for authentication or provides access to restricted data, consider alternate solutions like Apache::Session::Generate::Random.

OpenCVE Recommended Actions

  • Replace Apache::Session::Generate::ModUniqueId with Apache::Session::Generate::Random or another module that generates cryptographically secure session identifiers.
  • Reconfigure any application components that rely on the session ID for authentication to use a separate, strong authentication mechanism or to validate session IDs against additional security attributes.
  • Invalidate all existing session tokens that may have been generated by the vulnerable module, and enforce a strict session expiration policy to limit the window of exploitation.

Generated by OpenCVE AI on May 11, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Chorny apache\
CPEs cpe:2.3:a:chorny:apache\:\:session\:\:generate\:\:moduniqueid:*:*:*:*:*:perl:*:*
Vendors & Products Chorny apache\

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-341
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Chorny
Chorny apache::session::generate::moduniqueid
Vendors & Products Chorny
Chorny apache::session::generate::moduniqueid

Wed, 06 May 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 06 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation. The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header). The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes.
Title Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure
Weaknesses CWE-340
References

Subscriptions

Chorny Apache::session::generate::moduniqueid Apache\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-06T16:32:47.250Z

Reserved: 2026-03-28T19:10:32.393Z

Link: CVE-2026-5081

cve-icon Vulnrichment

Updated: 2026-05-06T16:32:47.250Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T13:16:09.833

Modified: 2026-06-05T20:34:02.643

Link: CVE-2026-5081

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-06T12:16:38Z

Links: CVE-2026-5081 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:30:05Z

Weaknesses