CVE-2026-2439

216.73.216.233

· Published 16/02/2026 22:22 · Modified 17/02/2026 15:16

Labels: CVE-2026-2439 2026-02-16 9b29abf9-4ab0-4765-b253-1875cd9b441e CVE-2026-2439 CWE-338

Essential information

Published: 16/02/2026 22:22
Modified: 17/02/2026 15:16
Author: —
Creator: —
CVSS: 9.8 CRITICAL (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
NVD: View on NVD

Affected products (CPE)

Product	CPE
concierge / sessions	`cpe:2.3:a:concierge:sessions:0.8.1-0.8.5:::::::*`