CVE-2026-2439: Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids

CVE-2026-2439: Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids Timothy Legge 16 Feb 2026 21:27 UTC
========================================================================
CVE-2026-2439                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-2439
   Distribution:  Concierge-Sessions
       Versions:  from 0.8.1 before 0.8.5

       MetaCPAN:  https://metacpan.org/dist/Concierge-Sessions
       VCS Repo:  https://github.com/bwva/Concierge-Sessions

Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate
insecure session ids

Description
-----------
Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate
insecure session ids.

The generate_session_id function in Concierge::Sessions::Base defaults
to using the uuidgen command to generate a UUID, with a fallback to
using Perl's built-in rand function.
Neither of these methods are secure, and attackers are able to guess
session_ids that can grant them access to systems.

Specifically,

   *  There is no warning when uuidgen fails. The software can be
quietly using the fallback rand() function with no warnings if the
command fails for any reason.

   *  The uuidgen command will generate a time-based UUID if the system
does not have a high-quality random number source, because the call
does not explicitly specify the --random option. Note that the system
time is shared in HTTP responses.

   *  UUIDs are identifiers whose mere possession grants access, as per
RFC 9562.

   *  The output of the built-in rand() function is predictable and
unsuitable for security applications.

Problem types
-------------
- CWE-340 Generation of Predictable Numbers or Identifiers
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
   (PRNG)

Solutions
---------
Upgrade to Concierge::Sessions v0.8.5 or later.

References
----------
https://metacpan.org/release/BVA/Concierge-Sessions-v0.8.4/diff/BVA/Concierge-Sessions-v0.8.5#lib/Concierge/Sessions/Base.pm
https://security.metacpan.org/docs/guides/random-data-for-security.html
https://www.rfc-editor.org/rfc/rfc9562.html#name-security-considerations
https://perldoc.perl.org/5.42.0/functions/rand
https://github.com/bwva/Concierge-Sessions/commit/20bb28e92e8fba307c4ff8264701c215be65e73b

Credits
-------
Robert Rothenberg, finder