Cyber Resilience

CVE-2026-2439

Critical

Published: 16 February 2026

Published
16 February 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 32.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2439 is a critical-severity PRNG (CWE-338) vulnerability in Bva Concierge\. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2026-2439 affects the Concierge::Sessions Perl module in versions from 0.8.1 before 0.8.5, where the generate_session_id function in Concierge::Sessions::Base produces insecure session identifiers. By default, it relies on the uuidgen command, which generates time-based UUIDs if the system lacks a high-quality random number source, as it omits the --random option; system time is often exposed in HTTP responses. If uuidgen fails silently, it falls back to Perl's built-in rand() function, which generates predictable values unsuitable for security contexts. These flaws align with CWE-338 (use of weak or predictable cryptographic primitives) and CWE-340 (generation of predictable numbers or identifiers), earning a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers without privileges can exploit this vulnerability by guessing session IDs due to their predictability from observable timestamps or sequential rand() outputs. Possession of a valid session ID grants direct access to affected systems, as UUIDs function as bearer tokens per RFC 9562. Successful exploitation enables high confidentiality, integrity, and availability impacts, such as unauthorized session hijacking.

Patches in Concierge::Sessions version 0.8.5 address the issues, as detailed in the GitHub commit (20bb28e92e8fba307c4ff8264701c215be65e73b) and the MetaCPAN release diff, which improve session ID generation to use secure methods. Perl security guidance recommends high-entropy sources for random data, avoiding rand() (perldoc.perl.org/5.42.0/functions/rand) and following best practices in metacpan.org's random-data-for-security guide.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods…

more

are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

The CVE describes a remotely exploitable flaw in a Perl session management module used by public-facing applications, enabling prediction/guessing of session tokens (bearer tokens per RFC 9562) that directly facilitates unauthorized access via stolen or forged web session cookies.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-40926Shared CWE-338, CWE-340
CVE-2025-40932Shared CWE-338, CWE-340
CVE-2025-15604Shared CWE-338, CWE-340
CVE-2026-5085Shared CWE-338, CWE-340
CVE-2026-3256Shared CWE-338, CWE-340
CVE-2026-5081Shared CWE-340
CVE-2025-40920Shared CWE-338, CWE-340
CVE-2025-15578Shared CWE-338
CVE-2025-40931Shared CWE-338, CWE-340
CVE-2025-66630Shared CWE-338

Affected Assets

bva
concierge\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 mandates secure generation and management of authenticators, including session IDs, using high-entropy mechanisms to prevent predictability and guessing attacks exploited in this CVE.

prevent

SI-2 requires identification, reporting, and timely remediation of software flaws like the insecure session ID generation in affected Concierge::Sessions versions.

prevent

SC-23 protects communications session authenticity by requiring unique and secure session identifiers, directly countering the predictable UUIDs and rand()-based IDs that enable hijacking.

References