Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely.
The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times.
The path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations.
The epoch time can be guessed by an attacker, and may be leaked in the HTTP header.
The process id comes from a small set of numbers, and workers may have sequential process ids.
The built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications.
Predictable session ids could allow an attacker to gain access to systems.
AnalysisAI
Dancer::Session::Abstract through version 1.3522 generates cryptographically weak session identifiers by combining predictable inputs (file path, process ID, epoch time) with an insufficiently-seeded Perl rand() function, allowing remote attackers to predict valid session IDs and hijack user sessions without authentication. The vulnerability affects Perl-based web applications using Dancer framework's default session handling; active exploitation is not confirmed but the attack requires only guessing a session ID, making it practically exploitable.
Technical ContextAI
Dancer::Session::Abstract is a session management module for the Dancer web framework (Perl). The vulnerability stems from CWE-340 (Generation of Predictable Numbers or Identifiers) in the session ID generation algorithm. The code combines character codepoint sums of the application's filesystem path, the process identifier (PID), Unix epoch timestamp, and three concatenated outputs from Perl's built-in rand() function seeded with only 32 bits of entropy. Perl's rand() is documented as unsuitable for cryptographic purposes and uses a predictable seed. The CPE indicates all versions from 0 through 1.3522 are affected, with the Dancer framework commonly installed in standard locations (/opt/dancer, /var/www/dancer, etc.), making the path component partially guessable.
RemediationAI
Upgrade Dancer::Session::Abstract to a patched version released after 1.3522; vendor has confirmed patch availability. The specific patch is available at https://security.metacpan.org/patches/D/Dancer/1.3522/CVE-2026-5080-r1.patch and should be reviewed to confirm session ID generation is replaced with cryptographically secure randomness (e.g., using Crypt::Random or /dev/urandom). For immediate temporary mitigation while patching, implement session token validation by storing server-side session state with strong authentication checks and short expiration windows (5-15 minutes) to reduce the window for successful guessing; this carries the trade-off of increased server memory/storage and reduced session persistence across worker restarts. Alternatively, implement cryptographic session ID generation at the application level using Perl modules like Bytes::Random::Secure prior to patching the underlying library. Invalidate all existing sessions immediately after patching and force re-authentication to revoke any predicted session IDs already generated with the vulnerable code.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26369