Insecure Session ID Generation in Solstice Product by Perl Vendor
CVE-2026-5085

Currently unrated

Key Information:

Vendor

Mcrawfor

Status
Solstice::session
Vendor
CVE Published:
13 April 2026

What is CVE-2026-5085?

The Solstice::Session product in Perl versions up to 1440 generates session IDs using methods that compromise their security. The _generateSessionID method creates an ID based on the epoch time, a random hash reference, the built-in rand() function, and the process ID. The use of epoch time can lead to predictable results if the HTTP Date header isn't compromised, while the stringified hash references hold discernible content. The rand() function in Perl is not suitable for secure applications due to its limited seed range, further weakening session ID uniqueness. This predictability could permit attackers to exploit the vulnerability and gain unauthorized access to user sessions.

Affected Version(s)

Solstice::Session 0 <= 1440

References

https://metacpan.org/dist/Solstice/source/lib/Solstice/Se...
https://metacpan.org/dist/Solstice/source/lib/Solstice/Su...
https://security.metacpan.org/docs/guides/random-data-for...
technical-description

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.