Skip to content
Security Alerts

CVE-2026-5081: Insecure Session ID Generation in Perl Apache-Session

Apache::Session::Generate::ModUniqueId versions 1.54-1.94 for Perl generate insecure session IDs based on predictable server metadata, exposing sessions to forgery attacks....

Marcin Godula Marcin Godula

Summary

ParameterValue
CVE IDCVE-2026-5081
Alert SourceGitHub Advisory - Critical Vulnerability
CVE Publication Year2026
Date Published2026-05-06
VendorPerl
ProductApache-Session
CVSS Score9.1 (critical)
EPSS ScoreNo data
CISA KEVNo
RansomwareNot confirmed

Vulnerability Description

Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure.

Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation.

The server IP is of…

Required Actions

Apply vendor patches or mitigations as soon as available.

Who Is Affected?

This vulnerability affects Apache-Session by Perl. Check if your organization uses this software and requires updates.

Sources

Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.

Learn More

Tags:

cve-2026-5081 critical perl vulnerability

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Sales Representative
Grzegorz Gnych

Grzegorz Gnych

Sales Representative

+48 664 003 003grzegorz.gnych@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist