CVE-2026-5081: CWE-340 Generation of Predictable Numbers or Identifiers in CHORNY Apache::Session::Generate::ModUniqueId
Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation. The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header). The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes.
AI Analysis
Technical Summary
Apache::Session::Generate::ModUniqueId relies on the UNIQUE_ID environment variable set by Apache's mod_unique_id plugin to generate session IDs. The UNIQUE_ID is composed of the IPv4 address, process ID, epoch time, a 16-bit counter, and thread index, all concatenated without any obfuscation or cryptographic protection. Since many of these components are either publicly accessible or can be inferred from previous session IDs or HTTP headers, the session IDs are predictable. This vulnerability is classified under CWE-340 (Generation of Predictable Numbers or Identifiers) and affects versions 1.54 through 1.94 of the module.
Potential Impact
The predictability of session IDs can allow an attacker to guess or reproduce valid session identifiers, potentially leading to session fixation or session hijacking attacks if the application relies solely on these IDs for authentication or session management. However, the vulnerability does not imply direct code execution or system compromise but weakens the security of session management.
Mitigation Recommendations
No official patch or remediation has been published by the vendor as of the current information. Users should avoid using Apache::Session::Generate::ModUniqueId for security-sensitive session ID generation. Instead, they should switch to a session ID generation mechanism that uses cryptographically secure random values. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-5081: CWE-340 Generation of Predictable Numbers or Identifiers in CHORNY Apache::Session::Generate::ModUniqueId
Description
Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation. The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header). The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Apache::Session::Generate::ModUniqueId relies on the UNIQUE_ID environment variable set by Apache's mod_unique_id plugin to generate session IDs. The UNIQUE_ID is composed of the IPv4 address, process ID, epoch time, a 16-bit counter, and thread index, all concatenated without any obfuscation or cryptographic protection. Since many of these components are either publicly accessible or can be inferred from previous session IDs or HTTP headers, the session IDs are predictable. This vulnerability is classified under CWE-340 (Generation of Predictable Numbers or Identifiers) and affects versions 1.54 through 1.94 of the module.
Potential Impact
The predictability of session IDs can allow an attacker to guess or reproduce valid session identifiers, potentially leading to session fixation or session hijacking attacks if the application relies solely on these IDs for authentication or session management. However, the vulnerability does not imply direct code execution or system compromise but weakens the security of session management.
Mitigation Recommendations
No official patch or remediation has been published by the vendor as of the current information. Users should avoid using Apache::Session::Generate::ModUniqueId for security-sensitive session ID generation. Instead, they should switch to a session ID generation mechanism that uses cryptographically secure random values. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-03-28T19:10:32.393Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fb3ce0cbff5d8610e47d86
Added to database: 5/6/2026, 1:06:40 PM
Last enriched: 5/6/2026, 1:21:27 PM
Last updated: 5/7/2026, 2:09:42 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.