CVE-2026-5081

Name of the Vulnerable Software and Affected Versions Apache::Session::Generate::ModUniqueId versions 1.54 through 1.94

Description Apache::Session::Generate::ModUniqueId uses the UNIQUE ID environment variable for session identifiers. This variable is generated by the Apache mod unique id plugin using the IPv4 address, process ID, epoch time, a 16-bit counter, and a thread index without obfuscation. Because the server IP, process IDs, and timestamps are often public or predictable, these session identifiers are insecure and unsuitable for security purposes.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.