CVE-2026-5081
Analyzed Analyzed - Analysis Complete
Session ID Generation Vulnerability in Apache::Session::Generate::ModUniqueId

Publication date: 2026-05-06

Last updated on: 2026-06-05

Assigner: CPANSec

Description
Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation. The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header). The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-06-05
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5081
EUVD
EUVD-2026-27823
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chorny apache From 1.54 (inc) to 1.94 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-340 The product uses a scheme that generates numbers or identifiers that are more predictable than required.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Apache::Session::Generate::ModUniqueId results in insecure session IDs that can be predicted or guessed due to their construction from publicly or easily inferred values such as server IP, process ID, and timestamps.

This insecurity can lead to session hijacking or unauthorized access, which compromises the confidentiality and integrity of user sessions.

Such weaknesses may violate data protection requirements in standards and regulations like GDPR and HIPAA, which mandate appropriate security measures to protect personal and sensitive data.

Specifically, failure to secure session identifiers can lead to unauthorized disclosure or alteration of protected information, undermining compliance with these regulations.

Executive Summary

The vulnerability exists in Apache::Session::Generate::ModUniqueId versions 1.54 through 1.94, which generate Perl session IDs using the UNIQUE_ID environment variable set by the Apache mod_unique_id plugin.

The UNIQUE_ID is created based on the IPv4 address, process ID, epoch time, a 16-bit counter, and a thread index without any obfuscation, making it insecure.

Because the server IP, process IDs, and timestamps can be publicly known or guessed, the session IDs can be predicted or reconstructed, compromising session security.

The mod_unique_id module is intended only to generate unique request identifiers for logging and correlation, not for security or session identification purposes.

Impact Analysis

This vulnerability can lead to insecure session IDs that are predictable or guessable by attackers.

An attacker could potentially hijack or impersonate user sessions by predicting valid session IDs, leading to unauthorized access.

Since the session IDs are based on easily obtainable or guessable information like IP addresses, process IDs, and timestamps, the risk of session fixation or session hijacking attacks increases.

Detection Guidance

This vulnerability involves the use of Apache::Session::Generate::ModUniqueId versions 1.54 through 1.94, which generate insecure session IDs based on the UNIQUE_ID environment variable set by the Apache mod_unique_id module.

To detect if your system is affected, you can check if your Apache server is using the mod_unique_id module and if your Perl sessions are generated using Apache::Session::Generate::ModUniqueId within the vulnerable version range.

  • Check if mod_unique_id is enabled in Apache: `apachectl -M | grep unique_id`
  • Inspect your Perl session generation code or configuration to see if Apache::Session::Generate::ModUniqueId is used and verify its version.
  • Look for the presence of the UNIQUE_ID environment variable in your Apache request environment: `echo $UNIQUE_ID` within a CGI or mod_perl environment.
Mitigation Strategies

To mitigate this vulnerability, you should avoid using Apache::Session::Generate::ModUniqueId for session ID generation because it produces predictable and insecure session IDs.

Instead, switch to a more secure session ID generator that uses strong randomness and does not rely on predictable values like IP address, process ID, or timestamps.

  • Replace Apache::Session::Generate::ModUniqueId with Apache::Session::Generate::Random, which generates secure random session IDs using the system's source of randomness.
  • Ensure your Apache server is updated and configured to use secure session management modules.
  • Review your application code to remove any dependency on the UNIQUE_ID environment variable for security-sensitive operations.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart