CVE-2026-2439
Received Received - Intake
Insecure Session ID Generation in Concierge::Sessions Allows Access

Publication date: 2026-02-16

Last updated on: 2026-03-10

Assigner: CPANSec

Description
Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-02-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2439
EUVD
EUVD-2026-7824
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bva concierge From 0.8.1 (inc) to 0.8.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-340 The product uses a scheme that generates numbers or identifiers that are more predictable than required.
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl, where the generate_session_id function creates insecure session IDs.

The function tries to generate a UUID using the uuidgen command, but if that command fails, it silently falls back to Perl's built-in rand() function without any warning.

The uuidgen command may generate time-based UUIDs if the system lacks a high-quality random number source, and since system time is shared in HTTP responses, these UUIDs can be predictable.

The rand() function's output is predictable and not suitable for security purposes.

Because session IDs are identifiers that grant access, attackers can guess these insecure session IDs and gain unauthorized access to systems.

Impact Analysis

This vulnerability can allow attackers to guess session IDs and gain unauthorized access to systems that rely on these session identifiers for authentication.

Such unauthorized access can lead to data breaches, unauthorized actions within the system, and compromise of user accounts.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2439. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart