CVE-2026-56016
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk24th percentile — higher than 24% of all known CVEs
Summary
The vulnerability in CGI::Session::ID::md5 for Perl before version 4.49 generates predictable session IDs from low-entropy sources. The generate_id method builds the session ID from an MD5 digest of the process ID, epoch time, and the built-in rand() function, all of which are predictable.
Risk Assessment
An attacker can predict the session ID and impersonate a user, leading to authentication bypass and unauthorized access to the application.
Recommendation
Immediately upgrade the CGI::Session::ID::md5 library to version 4.49 or later, which uses a secure random number generator.
Original NVD description (English source)
CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.

