Skip to main content

Concierge CVE-2026-2439

CRITICAL
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
2026-02-16 9b29abf9-4ab0-4765-b253-1875cd9b441e
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Mar 10, 2026 - 18:12 nvd
Patch available
CVE Published
Feb 16, 2026 - 22:22 nvd
CRITICAL 9.8

DescriptionCVE.org

Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically,

  • There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason.
  • The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses.
  • UUIDs are identifiers whose mere possession grants access, as per RFC 9562.
  • The output of the built-in rand() function is predictable and unsuitable for security applications.

AnalysisAI

Perl Concierge::Sessions 0.8.1-0.8.4 generates insecure session IDs using weak randomness, enabling session prediction.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Concierge::Sessions application
Delivery
Exploit weak session ID generation
Exploit
Guess valid session IDs using rand()
Execution
Hijack authenticated user session
Impact
Access sensitive data or perform unauthorized actions

Vulnerability AssessmentAI

Exploitation Concierge::Sessions versions 0.8.1 through 0.8.4 for Perl with uuidgen command missing or failing, forcing silent fallback to insecure Perl rand() function for session ID generation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.8 with patch. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker predicts session tokens and takes over user sessions.
Remediation Update to 0.8.5+. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Concierge::Sessions and identify affected versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-2439 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy