CPANSA-Apache-Session-Browseable-2026-8503: Apache-Session-Browseable vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2026-05-15T00:00:00 | Engine | CSAF Perl Toolkit 0.26 |
| Current release date | 2026-05-15T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 6.5 | Severity | |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids. Apache::Session::Generate::SHA256 generated session ids insecurely. The default session id generator returns a SHA-256 hash of the built-in rand() function, the epoch time, and the PID, that is hashed again. These are predictable, low-entropy sources. Predicable session ids could allow an attacker to gain access to systems. Note that version 1.3.19 has a fallback without warning to use insecure session generation method if the call to Crypt::URandom::urandom fails. However, this is unlikely as Crypt::URandom is a hardcoded requirement of the module. This issue is similar to CVE-2025-40931 for Apache::Session::Generate::MD5.
Vulnerabilities
CVE-2026-8503
Vulnerability DescriptionApache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids.
Apache::Session::Generate::SHA256 generated session ids insecurely. The default session id generator returns a SHA-256 hash of the built-in rand() function, the epoch time, and the PID, that is hashed again. These are predictable, low-entropy sources. Predicable session ids could allow an attacker to gain access to systems.
Note that version 1.3.19 has a fallback without warning to use insecure session generation method if the call to Crypt::URandom::urandom fails. However, this is unlikely as Crypt::URandom is a hardcoded requirement of the module.
This issue is similar to CVE-2025-40931 for Apache::Session::Generate::MD5.
| Weakness | CWE-338 : Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Apache-Session-Browseable less than 1.3.19 |
|
Fixed
- Apache-Session-Browseable greater than or equal 1.3.19
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Apache-Session-Browseable-2026-8503 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2026/cpansa-apache-session-browseable-2026-8503.json - https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/cc915cbbd266776eec3dd8bf4748b15fa827dbd0.patch external
https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/cc915cbbd266776eec3dd8bf4748b15fa827dbd0.patch - https://metacpan.org/release/GUIMARD/Apache-Session-Browseable-1.3.19/changes external
https://metacpan.org/release/GUIMARD/Apache-Session-Browseable-1.3.19/changes - https://metacpan.org/release/GUIMARD/Apache-Session-Browseable-1.3.19/diff/GUIMARD/Apache-Session-Browseable-1.3.18#lib/Apache/Session/Generate/SHA256.pm external
https://metacpan.org/release/GUIMARD/Apache-Session-Browseable-1.3.19/diff/GUIMARD/Apache-Session-Browseable-1.3.18#lib/Apache/Session/Generate/SHA256.pm - https://www.cve.org/CVERecord?id=CVE-2025-40931 external
https://www.cve.org/CVERecord?id=CVE-2025-40931 - https://www.cve.org/CVERecord?id=CVE-2025-40932 external
https://www.cve.org/CVERecord?id=CVE-2025-40932 - CVE-2026-8503 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2026-8503
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Fri May 15 00:00:00 2026 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/