Description
Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure.

Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation.

The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header).

The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes.
Published: 2026-05-06
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache::Session::Generate::ModUniqueId generates session identifiers from the UNIQUE_ID environment variable, which is composed of the client IP, process ID, epoch time, a counter, and a thread index, without any obfuscation. Because each element is predictable or can be guessed, an attacker who can observe or infer previously issued session IDs can construct future identifiers. When those session IDs are used for authentication or to grant access to restricted data, the vulnerability permits session hijacking, allowing an adversary to impersonate authenticated users.

Affected Systems

Affected systems include CHORNY’s Apache::Session::Generate::ModUniqueId module, with versions 1.54 through 1.94 identified as vulnerable. Any Perl application that relies on this module for session ID generation, especially if the IDs are used for security decisions, is at risk unless the module is replaced or the session strategy is changed.

Risk and Exploitability

The CVSS score of 9.1 indicates a severe flaw that can lead to significant compromise. No EPSS probability is available, so the likelihood of exploitation is unknown but potentially high if session IDs are tied to authentication. The vulnerability is not listed in the CISA KEV catalog, yet its fundamental weakness in random number generation exposes a critical security gap. Attackers would typically target the web application from a network location, leveraging predictable session IDs to hijack user sessions and access protected resources.

Generated by OpenCVE AI on May 6, 2026 at 15:56 UTC.

Remediation

Vendor Solution

In cases where the session id is used for authentication or provides access to restricted data, consider alternate solutions like Apache::Session::Generate::Random.

OpenCVE Recommended Actions

  • Replace Apache::Session::Generate::ModUniqueId with Apache::Session::Generate::Random or another module that generates cryptographically secure session identifiers.
  • Reconfigure any application components that rely on the session ID for authentication to use a separate, strong authentication mechanism or to validate session IDs against additional security attributes.
  • Invalidate all existing session tokens that may have been generated by the vulnerable module, and enforce a strict session expiration policy to limit the window of exploitation.

Generated by OpenCVE AI on May 6, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 06 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation. The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header). The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes.
Title Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure
Weaknesses CWE-340
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-06T16:32:47.250Z

Reserved: 2026-03-28T19:10:32.393Z

Link: CVE-2026-5081

cve-icon Vulnrichment

Updated: 2026-05-06T16:32:47.250Z

cve-icon NVD

Status : Received

Published: 2026-05-06T13:16:09.833

Modified: 2026-05-06T17:16:23.600

Link: CVE-2026-5081

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:00:06Z

Weaknesses