Description
CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources.

The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible.

An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.
Published: 2026-07-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CGI::Session::ID::md5 versions prior to 4.49 generate session identifiers by hashing the process id, the current epoch time, and Perl's built‑in rand() function. All three components are predictable and possess low entropy, allowing an attacker to enumerate or guess valid session IDs. This weakness corresponds to CWE‑338 (Insufficient Entropy) and CWE‑340 (Predictable Random Number Generation). An attacker who successfully predicts a session ID can create a forged session, thereby bypassing authentication and impersonating a legitimate user, compromising confidentiality and integrity of any data protected by that session.

Affected Systems

The vulnerability affects the MARKSTOS CGI::Session::ID::md5 module for Perl. Versions older than 4.49 are impacted. No specific operating system or server platform is listed, so any system running the affected module in a web context is at risk.

Risk and Exploitability

No CVSS score is provided, but the exploitability hinges on the ability to predict session identifiers from observable data. Because the epoch time and HTTP Date header can be observed, and the process ID is drawn from a small range, the risk is significant for public web applications. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via accessible web requests where an attacker can observe the Date header or otherwise approximate the server time. Once a session ID is guessed, an attacker can hijack the session and access or modify protected resources.

Generated by OpenCVE AI on July 1, 2026 at 15:02 UTC.

Remediation

Vendor Solution

Upgrade to CGI::Session 4.49 or later, which generates session ids from Crypt::SysRandom.


OpenCVE Recommended Actions

  • Upgrade the CGI::Session module to version 4.49 or later so that session IDs are generated using Crypt::SysRandom
  • If an upgrade cannot be performed immediately, reconfigure the application to avoid using CGI::Session::ID::md5 and instead use a more secure session ID generator or module
  • Verify that the application does not accept session IDs provided by the client for authentication or session resumption, ensuring legitimate session IDs are only accepted from the server
  • Align session generation with CWE‑338 and CWE‑340 guidelines by ensuring high‑quality entropy sources are used for session ID creation

Generated by OpenCVE AI on July 1, 2026 at 15:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Description CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.
Title CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources
Weaknesses CWE-338
CWE-340
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-07-01T14:03:16.730Z

Reserved: 2026-06-18T11:27:09.117Z

Link: CVE-2026-56016

cve-icon Vulnrichment

Updated: 2026-07-01T14:03:02.936Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T15:15:04Z

Weaknesses
  • CWE-338

    Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-340

    Generation of Predictable Numbers or Identifiers