PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-5081 CHORNY CVE debrief

CVE-2026-5081 is a critical vulnerability in Apache::Session::Generate::ModUniqueId, a Perl module used for generating session IDs. The vulnerability arises from the module's use of the UNIQUE_ID environment variable, which is set by the Apache mod_unique_id plugin. This variable is based on the server's IPv4 address, process ID, epoch time, a 16-bit counter, and a thread index, with no obfuscation. As a result, an attacker can potentially guess or obtain the server IP, process IDs, and timestamp, allowing them to predict session IDs.

Vendor
CHORNY
Product
Apache::Session::Generate::ModUniqueId
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-06
Original CVE updated
2026-06-05
Advisory published
2026-05-06
Advisory updated
2026-06-05

Who should care

Users of Apache::Session::Generate::ModUniqueId, particularly those in environments where session ID security is crucial.

Technical summary

Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 are vulnerable. The module uses the UNIQUE_ID environment variable for session IDs, which can be guessed or obtained by an attacker due to its predictable nature.

Defensive priority

high

Recommended defensive actions

  • Upgrade to a version of Apache::Session::Generate::ModUniqueId that is not vulnerable (e.g., version 1.95 or later).
  • Consider using a different session ID generation module that provides more secure IDs.

Evidence notes

The vulnerability has a CVSS score of 9.1 and is considered critical. It was published on 2026-05-06T13:16:09.833Z and modified on 2026-06-05T20:34:02.643Z.

Official resources

CVE-2026-5081 was published on 2026-05-06T13:16:09.833Z and modified on 2026-06-05T20:34:02.643Z.