Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically,

* There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason.
* The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses.
* UUIDs are identifiers whose mere possession grants access, as per RFC 9562.
* The output of the built-in rand() function is predictable and unsuitable for security applications.

AI Analysis

Insecure session IDs generated by Concierge::Sessions due to insecure UUID generation and predictable rand() function output

Basic Information

ID CVE-2026-2439

Source CPANSec

Published Feb 16, 2026 at 21:25

Modified Feb 17, 2026 at 14:45

Affected Product

Vendor BVA

Product Concierge::Sessions

Version 0.8.1

Affected Versions BVA Concierge::Sessions 0.8.1

CWE Classification

CWE-340 CWE-338

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor BVA

Product Concierge::Sessions

Version 0.8.1-0.8.4

References

{
    "lastseen": "",
    "description": "Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically,\n\n  *  There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason.\n  *  The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses.\n  *  UUIDs are identifiers whose mere possession grants access, as per RFC 9562.\n  *  The output of the built-in rand() function is predictable and unsuitable for security applications.",
    "published": "2026-02-16T21:25:21.091Z",
    "modified": "2026-02-17T14:45:00.408Z",
    "type": "cve",
    "title": "Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids",
    "source": "CPANSec",
    "references": "https://metacpan.org/release/BVA/Concierge-Sessions-v0.8.4/diff/BVA/Concierge-Sessions-v0.8.5#lib/Concierge/Sessions/Base.pm\nhttps://security.metacpan.org/docs/guides/random-data-for-security.html\nhttps://www.rfc-editor.org/rfc/rfc9562.html#name-security-considerations\nhttps://perldoc.perl.org/5.42.0/functions/rand\nhttps://github.com/bwva/Concierge-Sessions/commit/20bb28e92e8fba307c4ff8264701c215be65e73b",
    "id": "CVE-2026-2439",
    "bulletinFamily": "",
    "cwe": [
        "CWE-340",
        "CWE-338"
    ],
    "cvelist": null,
    "sourceData": "BVA Concierge::Sessions 0.8.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Concierge::Sessions",
    "version": "0.8.1",
    "vendor": "BVA",
    "ai_description": "Insecure session IDs generated by Concierge::Sessions due to insecure UUID generation and predictable rand() function output",
    "ai_severity": "Critical",
    "ai_vendor": "BVA",
    "ai_product": "Concierge::Sessions",
    "ai_version": "0.8.1-0.8.4",
    "ai_score": 9.8
}

Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids_CVE-2026-2439