Session ID Generation Flaw in WebDyne::Session by WebDyne
CVE-2026-5084

Currently unrated

Key Information:

Vendor

Aspeer

Status
Webdyne::session
Vendor
CVE Published:
11 May 2026

What is CVE-2026-5084?

WebDyne::Session, particularly in versions up to 2.075, contains a vulnerability that leads to insecure generation of session IDs. The session ID is produced using an MD5 hash that is seeded with a predictable value derived from the built-in rand() function. This method results in session IDs that can be easily predicted by attackers, allowing them to potentially gain unauthorized access to systems by guessing valid session IDs. The flaw resides in the insufficient randomness of the seed, making the security of the session handling mechanism inadequate for protecting sensitive information.

Affected Version(s)

WebDyne::Session 0 <= 2.075

References

https://metacpan.org/release/ASPEER/WebDyne-2.075/source/...
https://webdyne.org
https://security.metacpan.org/docs/guides/random-data-for...
technical-description

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.