Skip to main content

Apache::Session::Generate::ModUniqueId CVE-2026-5081

| EUVDEUVD-2026-27823 CRITICAL
Generation of Predictable Numbers or Identifiers (CWE-340)
2026-05-06 CPANSec GHSA-546v-xqjf-qgcr
9.1
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
8.2 HIGH
qualitative

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 06, 2026 - 16:31 vuln.today
CVSS changed
May 06, 2026 - 15:22 NVD
9.1 (None) 9.1 (CRITICAL)

DescriptionCVE.org

Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure.

Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation.

The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header).

The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes.

AnalysisAI

Predictable session ID generation in Apache::Session::Generate::ModUniqueId 1.54-1.94 allows remote unauthenticated attackers to forge session tokens and hijack user sessions. The vulnerability stems from using Apache mod_unique_id values as session identifiers-these values are deterministic and constructed from publicly observable or easily guessable components (server IP, process ID, timestamp, counter). With CVSS 9.1 and SSVC automation classification, this enables systematic session hijacking at scale despite no confirmed active exploitation.

Technical ContextAI

Apache::Session::Generate::ModUniqueId is a Perl module for generating session identifiers, introduced in version 1.54 of the Apache::Session package. The vulnerable implementation relies on the UNIQUE_ID environment variable populated by Apache's mod_unique_id module. While mod_unique_id serves legitimate purposes for request correlation in logging, it generates identifiers using a deterministic algorithm combining IPv4 address, process ID (PID), Unix epoch timestamp, a 16-bit counter, and thread index-none of which are cryptographically random or obfuscated. This violates CWE-340 (Generation of Predictable Numbers or Identifiers Used in Security Contexts), as session tokens must be cryptographically unpredictable to prevent forgery. The timestamp component is further leaked via standard HTTP Date response headers, providing attackers with precise timing information. Server IP addresses are typically discoverable through DNS resolution or previous session observations, and process IDs can be inferred through statistical analysis of sequential session IDs.

RemediationAI

Immediately migrate to Apache::Session::Generate::Random or other cryptographically secure session ID generators as documented at https://metacpan.org/pod/Apache::Session::Generate::Random. No patched version of ModUniqueId is available-the fundamental design is insecure as mod_unique_id was never intended for security contexts per Apache documentation at https://httpd.apache.org/docs/current/mod/mod_unique_id.html. Application-level remediation requires changing session generation configuration in Apache::Session to use Random, MD5, or SHA256 generators instead of ModUniqueId. As temporary mitigation while planning migration, invalidate all existing sessions to prevent exploitation of previously issued predictable tokens, though this does not address ongoing vulnerability. Deploy additional session binding controls (IP address validation, user-agent fingerprinting) as compensating controls, understanding these add usability friction (legitimate users behind NAT or VPNs may experience logouts) and do not fully mitigate the root cause. Monitor for anomalous session usage patterns (multiple IPs using same session, rapid session enumeration) to detect exploitation attempts during transition period.

Vendor StatusVendor

Share

CVE-2026-5081 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy