CVE-2026-9692
Received Received - Intake
Insecure Session ID Generation in Mojolicious::Sessions::Storable

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: CPANSec

Description
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-9692
EUVD
EUVD-2026-37926
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mojolicious mojolicious_sessions_storable to 0.05 (inc)
mojolicious mojolicious_sessions_storable 0.05
mojolicious mojolicious 9.46
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-340 The product uses a scheme that generates numbers or identifiers that are more predictable than required.
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Mojolicious::Sessions::Storable versions through 0.05 for Perl is due to insecure generation of session IDs.

The default session ID generator uses a SHA-1 hash seeded with predictable or low-entropy sources such as Perl's built-in rand function, the epoch time, the heap address of an anonymous hash, and the process ID (PID).

Because these sources are predictable or have low randomness, the generated session IDs are insecure and can potentially be guessed or reproduced by attackers.

Impact Analysis

This vulnerability can impact you by allowing attackers to predict or guess session IDs due to their weak randomness.

If an attacker can predict session IDs, they may be able to hijack user sessions, impersonate users, or gain unauthorized access to sensitive information or functionality within an application.

Detection Guidance

This vulnerability involves insecure session ID generation in Mojolicious::Sessions::Storable versions through 0.05 for Perl, where session IDs are generated using predictable sources such as Perl's built-in rand function, epoch time, heap address, and PID.

To detect this vulnerability on your system, you can check the version of Mojolicious::Sessions::Storable installed and inspect whether the session ID generation method uses insecure sources like rand() and SHA-1 hashing of predictable values.

  • Check the installed version of Mojolicious::Sessions::Storable to see if it is version 0.05 or earlier.
  • Review the source code or loaded modules to verify if the session ID generation uses the weak method involving rand(), PID, and time.
  • Monitor network traffic for session IDs that appear predictable or follow patterns consistent with weak random generation.

Specific commands might include:

  • Use Perl to print the Mojolicious::Sessions::Storable version: perl -MMojolicious::Sessions::Storable -e 'print $Mojolicious::Sessions::Storable::VERSION, "\n";'
  • Search your application code for usage of Mojolicious::Sessions::Storable and inspect the sid_generator method or session ID creation logic.
  • Capture session IDs from network traffic (e.g., using tcpdump or Wireshark) and analyze their entropy or predictability.
Mitigation Strategies

To mitigate this vulnerability, you should update Mojolicious::Sessions::Storable to a version that uses a cryptographically secure pseudorandom number generator (CSPRNG) for session ID generation.

Specifically, versions after 0.05 replace the weak session ID generation method with one that uses Mojo::Util's random_bytes function to generate secure 20-byte random session IDs encoded as hexadecimal strings.

  • Upgrade Mojolicious to version 9.46 or later, which includes the fixed session ID generation.
  • Ensure your Perl environment uses secure random data sources, such as those provided by modules like Crypt::URandom or Crypt::SysRandom, as recommended for generating secure tokens.
  • Avoid using Perl's built-in rand() function for security-sensitive random data.

If upgrading immediately is not possible, consider patching the session ID generation code to use a CSPRNG source for randomness.

Compliance Impact

The vulnerability in Mojolicious::Sessions::Storable versions through 0.05 involves insecure session ID generation using predictable and low-entropy sources. This weak session ID generation can lead to session hijacking or impersonation attacks, which compromises the confidentiality and integrity of user sessions.

Such security weaknesses can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require appropriate technical measures to protect personal and sensitive data. Insecure session management may violate requirements for ensuring data confidentiality, integrity, and secure authentication mechanisms.

Therefore, this vulnerability could lead to non-compliance with these regulations if exploited, as it undermines the security controls necessary to protect user data and maintain secure sessions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9692. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart