Bug 2495886

Summary: CVE-2026-56016 perl-CGI-Session: perl-CGI-Session: Authentication bypass via predictable session IDs [fedora-all]
Product: [Fedora] Fedora Reporter: Rohit Keshri <rkeshri>
Component: perl-CGI-SessionAssignee: Andreas Thienemann <andreas>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: rawhideCC: andreas, perl-devel
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["9350baf0-9378-4a94-9dd5-30260596865e"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2495858    

Description Rohit Keshri 2026-07-01 10:58:48 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources.

The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible.

An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.