CVE-2026-56016
Received Received - Intake

Predictable Session ID in CGI::Session::ID::md5

Vulnerability report for CVE-2026-56016, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: CPANSec

Description

CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
CWE-340 The product uses a scheme that generates numbers or identifiers that are more predictable than required.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56016 affects CGI::Session::ID::md5 versions before 4.49 for Perl, where session IDs are generated using predictable, low-entropy sources. The generate_id method creates session IDs by taking an MD5 digest of the process ID (PID), the epoch time, and Perl's built-in rand() function.

All these sources are predictable: the PID comes from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is predictable and reversible. This predictability allows an attacker to guess or predict valid session IDs.

By predicting a session ID, an attacker can impersonate the corresponding session and bypass authentication mechanisms.

Impact Analysis

This vulnerability allows an attacker to predict session IDs, which can lead to session hijacking.

An attacker who successfully predicts a session ID can impersonate a legitimate user, bypass authentication, and gain unauthorized access to the application or system.

This can result in unauthorized data access, manipulation, or other malicious activities depending on the privileges of the compromised session.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade CGI::Session::ID::md5 to version 4.49 or later. The fixed version uses the Crypt::SysRandom module to generate cryptographically secure random bytes for session IDs, replacing the previous predictable method based on low-entropy sources such as process ID, epoch time, and Perl's rand() function.

Compliance Impact

This vulnerability allows attackers to predict session IDs due to the use of low-entropy sources in generating them. As a result, attackers can impersonate legitimate sessions and bypass authentication.

Such unauthorized access and session hijacking can lead to exposure or compromise of sensitive personal or health information, which would violate common standards and regulations like GDPR and HIPAA that require strong authentication and protection of user data.

Therefore, systems using vulnerable versions of CGI::Session::ID::md5 may fail to meet compliance requirements related to secure session management and data protection.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56016. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart