{"id":"CVE-2026-8503","summary":"Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids","details":"Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids.\n\nApache::Session::Generate::SHA256 generated session ids insecurely. The default session id generator returns a SHA-256 hash of the built-in rand() function, the epoch time, and the PID, that is hashed again. These are predictable, low-entropy sources. Predicable session ids could allow an attacker to gain access to systems.\n\nNote that version 1.3.19 has a fallback without warning to use insecure session generation method if the call to Crypt::URandom::urandom fails. However, this is unlikely as Crypt::URandom is a hardcoded requirement of the module.\n\nThis issue is similar to CVE-2025-40931 for Apache::Session::Generate::MD5.","modified":"2026-07-08T08:14:27.310659802Z","published":"2026-05-15T11:06:29.777Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8503.json","cna_assigner":"CPANSec","cwe_ids":["CWE-338","CWE-340"]},"references":[{"type":"WEB","url":"https://cpan.org/modules"},{"type":"WEB","url":"https://metacpan.org/release/GUIMARD/Apache-Session-Browseable-1.3.19/diff/GUIMARD/Apache-Session-Browseable-1.3.18#lib/Apache/Session/Generate/SHA256.pm"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2025-40931"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2025-40932"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8503.json"},{"type":"ADVISORY","url":"https://metacpan.org/release/GUIMARD/Apache-Session-Browseable-1.3.19/changes"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8503"},{"type":"FIX","url":"https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/cc915cbbd266776eec3dd8bf4748b15fa827dbd0.patch"},{"type":"PACKAGE","url":"https://github.com/LemonLDAPNG/Apache-Session-Browseable"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lemonldapng/apache-session-browseable","events":[{"introduced":"0"},{"fixed":"0dd14ad0706f22f8bcb3c4e2b33bcfe3e5b66513"},{"fixed":"cc915cbbd266776eec3dd8bf4748b15fa827dbd0"}],"database_specific":{"cpe":"cpe:2.3:a:guimard:apache\\:\\:session\\:\\:generate\\:\\:sha256:*:*:*:*:*:perl:*:*","source":["CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"1.3.19"}]}}],"versions":["v1.3.18","v1.3.17","v1.3.16","v1.3.15","v1.3.14","v1.3.13","v1.3.12","v1.3.11","v1.3.10","v1.3.9","v1.3.8","v1.3.7","v1.3.6","v1.3.5","v1.3.3","v1.3.4","v1.3.2","v1.3.1","v1.3.0","v1.2.9","v1.2.8","v1.2.7","v1.2.6","1.2.5","1.2.4","1.2.3","1.2.2","1.2.1","1.2","1.1","1.0.2","1.0.1","1.0","0.9","0.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8503.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}