CVE-2026-2439

Name of the Vulnerable Software and Affected Versions Concierge::Sessions versions 0.8.1 through 0.8.4

Description The generate session id function within Concierge::Sessions::Base defaults to insecure methods for generating session identifiers. Specifically, it uses the uuidgen command, which may fall back to Perl's rand() function if uuidgen fails, or generate time-based UUIDs if a high-quality random number source is unavailable. Both rand() and time-based UUIDs are predictable and unsuitable for security applications. The possession of these identifiers grants access, as per RFC 9562. There is no warning when uuidgen fails, potentially leading to the silent use of the insecure rand() function.

Recommendations Upgrade to version 0.8.5 or later.