CVE-2026-2439 – Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids

CVE ID : CVE-2026-2439

Published : Feb. 16, 2026, 10:22 p.m. | 13 minutes ago

Description : Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl’s built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically,

* There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason.
* The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the –random option. Note that the system time is shared in HTTP responses.
* UUIDs are identifiers whose mere possession grants access, as per RFC 9562.
* The output of the built-in rand() function is predictable and unsuitable for security applications.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2025-12062 – WP Maps

CVE-2025-15578 – Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely

CVE-2026-2474 – Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to a heap buffer overflow in the XS function crypt_urandom_getrandom()

CVE-2026-2001 – WowRevenue