login
CVE-2026-8503: Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids Robert Rothenberg 15 May 2026 11:14 UTC 
========================================================================
CVE-2026-8503                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-8503
   Distribution:  Apache-Session-Browsable
       Versions:  before 1.3.19

       MetaCPAN: https://metacpan.org/dist/Apache-Session-Browsable
       VCS Repo: https://github.com/LemonLDAPNG/Apache-Session-Browseable

Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl
create insecure session ids

Description
-----------
Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl
create insecure session ids.

Apache::Session::Generate::SHA256 generated session ids insecurely. The
default session id generator returns a SHA-256 hash of the built-in
rand() function, the epoch time, and the PID, that is hashed again.
These are predictable, low-entropy sources. Predicable session ids
could allow an attacker to gain access to systems.

Note that version 1.3.19 has a fallback without warning to use insecure
session generation method if the call to Crypt::URandom::urandom fails.
However, this is unlikely as Crypt::URandom is a hardcoded requirement
of the module.

This issue is similar to CVE-2025-40931 for
Apache::Session::Generate::MD5.

Problem types
-------------
- CWE-340 Generation of Predictable Numbers or Identifiers
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator

Workarounds
-----------
Upgrade to version 1.3.19 or later.

References
----------
https://metacpan.org/release/GUIMARD/Apache-Session-Browseable-1.3.19/changes
https://metacpan.org/release/GUIMARD/Apache-Session-Browseable-1.3.19/diff/GUIMARD/Apache-Session-Browseable-1.3.18#lib/Apache/Session/Generate/SHA256.pm
https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/cc915cbbd266776eec3dd8bf4748b15fa827dbd0.patch
https://www.cve.org/CVERecord?id=CVE-2025-40931
https://www.cve.org/CVERecord?id=CVE-2025-40932

Timeline
--------
- 2026-05-13: Issue identified by CPANSec
- 2026-05-13: Issue reported to author
- 2026-05-14: Version 1.3.19 released