CVE-2026-9692: CWE-340 Generation of Predictable Numbers or Identifiers in HAYAJO Mojolicious::Sessions::Storable
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes.
AI Analysis
Technical Summary
CVE-2026-9692 identifies a vulnerability in Mojolicious::Sessions::Storable (versions <= 0.05) where session IDs are generated insecurely. The session ID generator relies on predictable inputs such as the built-in rand function, epoch time, heap address, and PID, combined with SHA-1 hashing. These sources do not provide sufficient entropy or unpredictability for secure session identifiers, potentially allowing attackers to predict or reproduce session IDs.
Potential Impact
The insecure generation of session IDs can lead to session prediction or fixation attacks, undermining the security of session management. This may allow attackers to hijack user sessions or impersonate users if they can predict valid session identifiers. However, no known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider implementing a more secure session ID generation mechanism that uses cryptographically secure random number generators. Avoid relying on the default session ID generator in affected versions.
CVE-2026-9692: CWE-340 Generation of Predictable Numbers or Identifiers in HAYAJO Mojolicious::Sessions::Storable
Description
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes.
CVSS v3.1
Score 5.3medium
Affected software
pkg:github/Mojolicious-Plugin-SessionStoreRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9692 identifies a vulnerability in Mojolicious::Sessions::Storable (versions <= 0.05) where session IDs are generated insecurely. The session ID generator relies on predictable inputs such as the built-in rand function, epoch time, heap address, and PID, combined with SHA-1 hashing. These sources do not provide sufficient entropy or unpredictability for secure session identifiers, potentially allowing attackers to predict or reproduce session IDs.
Potential Impact
The insecure generation of session IDs can lead to session prediction or fixation attacks, undermining the security of session management. This may allow attackers to hijack user sessions or impersonate users if they can predict valid session identifiers. However, no known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider implementing a more secure session ID generation mechanism that uses cryptographically secure random number generators. Avoid relying on the default session ID generator in affected versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-27T10:52:01.931Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a343e63f198dc38c151df61
Added to database: 6/18/2026, 6:52:19 PM
Last enriched: 6/18/2026, 7:05:32 PM
Last updated: 6/18/2026, 9:01:38 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.