PT-2026-54520 · Cpan · Cgi::Session::Id::Md5

Mark Stosberg

+1

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-56016

CVSS v3.1

5.9

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions CGI::Session::ID::md5 versions prior to 4.49
Description Predictable session IDs are generated from low-entropy sources. The generate id() function creates the session ID using an MD5 digest of the process ID, the epoch time, and the built-in rand() function. These sources are considered low-entropy because the process ID is drawn from a small range, the epoch time can be guessed or retrieved from the HTTP Date header, and the rand() function is predictable and reversible. An attacker who predicts a session ID can impersonate a session and bypass authentication.
Recommendations Update CGI::Session::ID::md5 to version 4.49 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56016

Affected Products

Cgi::Session::Id::Md5