{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-2439","assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","state":"PUBLISHED","assignerShortName":"CPANSec","dateReserved":"2026-02-12T23:47:52.767Z","datePublished":"2026-02-16T21:25:21.091Z","dateUpdated":"2026-02-17T14:45:00.408Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"Concierge-Sessions","product":"Concierge::Sessions","programFiles":["lib/Concierge/Sessions/Base.pm"],"repo":"https://github.com/bwva/Concierge-Sessions","vendor":"BVA","versions":[{"lessThan":"0.8.5","status":"affected","version":"0.8.1","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Robert Rothenberg"}],"descriptions":[{"lang":"en","value":"Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically,\n\n  *  There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason.\n  *  The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses.\n  *  UUIDs are identifiers whose mere possession grants access, as per RFC 9562.\n  *  The output of the built-in rand() function is predictable and unsuitable for security applications."}],"impacts":[{"capecId":"CAPEC-115","descriptions":[{"lang":"en","value":"CAPEC-115 Authentication Bypass"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-340","description":"CWE-340 Generation of Predictable Numbers or Identifiers","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-338","description":"CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec","dateUpdated":"2026-02-16T21:25:21.091Z"},"references":[{"tags":["related"],"url":"https://metacpan.org/release/BVA/Concierge-Sessions-v0.8.4/diff/BVA/Concierge-Sessions-v0.8.5#lib/Concierge/Sessions/Base.pm"},{"tags":["related"],"url":"https://security.metacpan.org/docs/guides/random-data-for-security.html"},{"tags":["related"],"url":"https://www.rfc-editor.org/rfc/rfc9562.html#name-security-considerations"},{"tags":["related"],"url":"https://perldoc.perl.org/5.42.0/functions/rand"},{"tags":["patch"],"url":"https://github.com/bwva/Concierge-Sessions/commit/20bb28e92e8fba307c4ff8264701c215be65e73b"}],"solutions":[{"lang":"en","value":"Upgrade to Concierge::Sessions v0.8.5 or later."}],"source":{"discovery":"UNKNOWN"},"title":"Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids","x_generator":{"engine":"cpansec-cna-tool 0.1"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.8,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-02-17T14:44:27.594037Z","id":"CVE-2026-2439","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-17T14:45:00.408Z"}}]}}