Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Concierge::Sessions versions 0.8.1-0.8.4: Insecure Session IDs
CVE-2026-2439
Summary
Concierge::Sessions versions 0.8.1 to 0.8.4 generate session IDs that can be easily guessed by attackers, potentially allowing them to access systems. This is because the software uses insecure methods to generate these IDs. To protect your systems, update to version 0.8.5 or later, which fixes this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| bva | concierge\ | \ | – |
Original title
Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to g...
Original description
Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically,
* There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason.
* The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses.
* UUIDs are identifiers whose mere possession grants access, as per RFC 9562.
* The output of the built-in rand() function is predictable and unsuitable for security applications.
* There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason.
* The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses.
* UUIDs are identifiers whose mere possession grants access, as per RFC 9562.
* The output of the built-in rand() function is predictable and unsuitable for security applications.
nvd CVSS3.1
9.8
Vulnerability type
CWE-338
CWE-340
- https://github.com/bwva/Concierge-Sessions/commit/20bb28e92e8fba307c4ff8264701c2...
- https://metacpan.org/release/BVA/Concierge-Sessions-v0.8.4/diff/BVA/Concierge-Se...
- https://perldoc.perl.org/5.42.0/functions/rand
- https://security.metacpan.org/docs/guides/random-data-for-security.html
- https://www.rfc-editor.org/rfc/rfc9562.html#name-security-considerations
Published: 16 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026