CVE-2026-5084

May 12, 2026, 4:48 p.m.

6.5
Medium

Description

WebDyne::Session versions through 2.075 for Perl generates the session id insecurely. The session handler generates the session id from an MD5 hash seeded with a call to the built-in rand() function. The rand function is passed a maximum value based on the process id, the epoch time and the reference address of the object, but this information will have no effect on the overall quality of the seed of the message digest. The rand function is seeded by 32-bits and is predictable. It is considered unsuitable for cryptographic purposes. Predictable session ids could allow an attacker to gain access to systems. Note that WebDyne::Session versions 1.042 and earlier appear to be in separate distributions from WebDyne.

Product(s) Impacted

Vendor Product Versions
Webdyne
  • Webdyne Session
  • <2.075

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a webdyne webdyne_session <2.075 / / / / / /

References

https://metacpan.org/release/ASPEER/WebDyne-2.075/source/lib/WebDyne/Session.pm#L120
https://security.metacpan.org/docs/guides/random-data-for-security.html
https://webdyne.org
http://www.openwall.com/lists/oss-security/2026/05/11/3

Tags

CWE-338
9b29abf9-4ab0-4765-b253-1875cd9b441e
2026-05-11
CVE-2026-5084

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

    View Vector String

Timeline

Published: May 11, 2026, 8:16 a.m.
Last Modified: May 12, 2026, 4:48 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

9b29abf9-4ab0-4765-b253-1875cd9b441e

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.