Vulnerability Description
Ado::Sessions versions through 0.935 for Perl generates insecure session ids. The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Berov | Ado\ | <= 0.935, \ |
Related Weaknesses (CWE)
References
- https://backpan.perl.org/authors/id/B/BE/BEROV/Ado-0.935.tar.gzProduct
- https://github.com/kberov/Ado/issues/112Issue Tracking
- https://security.metacpan.org/docs/guides/random-data-for-security.htmlThird Party Advisory
- http://www.openwall.com/lists/oss-security/2026/04/08/7Mailing List
FAQ
What is CVE-2026-5083?
CVE-2026-5083 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Ado::Sessions versions through 0.935 for Perl generates insecure session ids. The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PI...
How severe is CVE-2026-5083?
CVE-2026-5083 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-5083?
Check the references section above for vendor advisories and patch information. Affected products include: Berov Ado\.