Cyber Posture

CVE-2026-2439

Critical

Published: 16 February 2026

Published
16 February 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0007 21.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2439 is a critical-severity PRNG (CWE-338) vulnerability in Bva Concierge\. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 mandates secure generation and management of authenticators, including session IDs, using high-entropy mechanisms to prevent predictability and guessing attacks exploited in this CVE.

SI-2 Flaw Remediation good match
prevent

SI-2 requires identification, reporting, and timely remediation of software flaws like the insecure session ID generation in affected Concierge::Sessions versions.

SC-23 Session Authenticity good match
prevent

SC-23 protects communications session authenticity by requiring unique and secure session identifiers, directly countering the predictable UUIDs and rand()-based IDs that enable hijacking.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
attack.mitre.org →
Why these techniques?

The CVE describes a remotely exploitable flaw in a Perl session management module used by public-facing applications, enabling prediction/guessing of session tokens (bearer tokens per RFC 9562) that directly facilitates unauthorized access via stolen or forged web session cookies.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods…

more

are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications.

Deeper analysisAI

CVE-2026-2439 affects the Concierge::Sessions Perl module in versions from 0.8.1 before 0.8.5, where the generate_session_id function in Concierge::Sessions::Base produces insecure session identifiers. By default, it relies on the uuidgen command, which generates time-based UUIDs if the system lacks a high-quality random number source, as it omits the --random option; system time is often exposed in HTTP responses. If uuidgen fails silently, it falls back to Perl's built-in rand() function, which generates predictable values unsuitable for security contexts. These flaws align with CWE-338 (use of weak or predictable cryptographic primitives) and CWE-340 (generation of predictable numbers or identifiers), earning a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers without privileges can exploit this vulnerability by guessing session IDs due to their predictability from observable timestamps or sequential rand() outputs. Possession of a valid session ID grants direct access to affected systems, as UUIDs function as bearer tokens per RFC 9562. Successful exploitation enables high confidentiality, integrity, and availability impacts, such as unauthorized session hijacking.

Patches in Concierge::Sessions version 0.8.5 address the issues, as detailed in the GitHub commit (20bb28e92e8fba307c4ff8264701c215be65e73b) and the MetaCPAN release diff, which improve session ID generation to use secure methods. Perl security guidance recommends high-entropy sources for random data, avoiding rand() (perldoc.perl.org/5.42.0/functions/rand) and following best practices in metacpan.org's random-data-for-security guide.

Details

CWE(s)
CWE-338CWE-340

Affected Products

bva
concierge\
\

CVEs Like This One

CVE-2025-15604Shared CWE-338, CWE-340
CVE-2025-40926Shared CWE-338, CWE-340
CVE-2026-5085Shared CWE-338, CWE-340
CVE-2025-40932Shared CWE-338, CWE-340
CVE-2026-3256Shared CWE-338, CWE-340
CVE-2025-40920Shared CWE-338, CWE-340
CVE-2025-15578Shared CWE-338
CVE-2025-40931Shared CWE-338, CWE-340
CVE-2025-66630Shared CWE-338
CVE-2025-40905Shared CWE-338

References