Insecure Session ID Generation in Apache::Session::Generate::ModUniqueId by Apache
CVE-2026-5081

9.1CRITICAL

Key Information:

Vendor: Chorny
Status: Apache::session::generate::moduniqueid
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-5081?

Apache::Session::Generate::ModUniqueId versions from 1.54 to 1.94 in Perl present security vulnerabilities due to the insecure generation of session IDs. These IDs utilize the UNIQUE_ID environment variable generated by the Apache mod_unique_id plugin, which is based on identifiable parameters like IPv4 address, process ID, and epoch time without any obfuscation. This makes session IDs predictable and susceptible to unauthorized access, as they can be guessed or traced back from previous sessions. The mod_unique_id feature, while useful for correlating log events, is not intended for security purposes, rendering the implementation of these session IDs insecure.

Affected Version(s)

Apache::Session::Generate::ModUniqueId 1.54 <= 1.94

References

https://httpd.apache.org/docs/current/mod/mod_unique_id.html

technical-description

https://metacpan.org/pod/Apache::Session::Generate::Random

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Mar 28, 2026

CVE-2026-5081 Data

JSON

Chorny

What is CVE-2026-5081?

Affected Version(s)

References

CVSS V3.1

Timeline