Predictable Session ID Risk in CGI::Session::ID::md5 for Perl
CVE-2026-56016

Currently unrated

Key Information:

Vendor

Markstos

Vendor
CVE Published:
1 July 2026

What is CVE-2026-56016?

The CGI::Session::ID::md5 module in Perl is vulnerable due to its method of generating session IDs which relies on low-entropy sources, including the process ID, epoch time, and the built-in rand() function. These components can be predicted or easily guessed, allowing an attacker to impersonate an existing session. This vulnerability poses a significant risk as it can enable unauthorized access and authentication bypass in applications that utilize this module, necessitating immediate attention from developers to update to safer versions.

Affected Version(s)

CGI::Session::ID::md5 0 < 4.49

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.