Skip to main content

Amon2 CVE-2026-5082

| EUVDEUVD-2026-20060 MEDIUM
Generation of Predictable Numbers or Identifiers (CWE-340)
2026-04-08 CPANSec GHSA-gr8m-rq4x-q7c8
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 06:00 euvd
EUVD-2026-20060
Analysis Generated
Apr 08, 2026 - 06:00 vuln.today
CVE Published
Apr 08, 2026 - 05:48 nvd
MEDIUM 5.3

DescriptionCVE.org

Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id.

The generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Amon2::Plugin::Web::CSRFDefender versions before 7.00 were part of Amon2, which was vulnerable to insecure session ids due to CVE-2025-15604.

Note that the author has deprecated this module.

AnalysisAI

Amon2::Plugin::Web::CSRFDefender versions 7.00 through 7.03 for Perl generate cryptographically weak session IDs when /dev/urandom is unavailable, falling back to SHA-1 hashing seeded with predictable values (system PID, epoch time, and the unseeded rand() function). This allows attackers to forge valid session identifiers and potentially conduct session hijacking or CSRF attacks. The module is deprecated by its author, and CISA has not confirmed active exploitation; however, the automatable nature of the attack (as per SSVC) combined with the availability of fix version 7.04 indicates moderate practical risk despite the low EPSS score of 0.02%.

Technical ContextAI

The vulnerability stems from CWE-340 (Generation of Predictable Numbers or Identifiers) in the generate_session_id function of Amon2::Plugin::Web::CSRFDefender. The affected Perl module implements CSRF token defense by generating session identifiers. When the cryptographically secure /dev/urandom source is unavailable (e.g., on non-Unix systems or in restricted environments), the fallback mechanism uses SHA-1 with a seed constructed from three weak sources: the operating system PID (typically a small sequential value, often guessable or previously enumerated), the high-resolution epoch time (guessable or potentially leaked via HTTP Date headers), and Perl's built-in rand() function (a non-cryptographic PRNG unsuitable for security-sensitive operations). This combination allows an attacker to brute-force or predict session IDs without cryptographic strength. The module version 7.04 and later address this by presumably enforcing /dev/urandom or using a cryptographically appropriate alternative.

RemediationAI

Upgrade Amon2::Plugin::Web::CSRFDefender to version 7.04 or later. This can typically be done via CPAN package managers (e.g., 'cpan Amon2::Plugin::Web::CSRFDefender' or via system package managers if available). Consult the module changelog at https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.04/changes for specific fix details and any migration notes. Since the author has deprecated this module, organizations should evaluate whether to transition to an actively maintained CSRF defense library. For systems where immediate patching is not feasible, the fallback session ID generation should not be triggered by ensuring /dev/urandom is available on Unix-like systems, though this is a workaround and not a substitute for upgrading.

Share

CVE-2026-5082 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy