Cyber Resilience

CVE-2026-5081

CriticalUpdated

Published: 06 May 2026

Published
06 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0030 21.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-5081 is a critical-severity Generation of Predictable Numbers or Identifiers (CWE-340) vulnerability in Chorny Apache\. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which…

more

generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation. The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header). The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Predictable session IDs from observable state (CWE-340) in public-facing Apache/Perl module directly enables exploitation of the web app (T1190) and use of guessed/predicted web session cookies for impersonation (T1550.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-40931Same product: Chorny Apache\
CVE-2013-10075Same product: Chorny Apache\
CVE-2025-40926Shared CWE-340
CVE-2025-40932Shared CWE-340
CVE-2025-15604Shared CWE-340
CVE-2026-5085Shared CWE-340
CVE-2026-2439Shared CWE-340
CVE-2025-69286Shared CWE-340
CVE-2026-3256Shared CWE-340
CVE-2026-40496Shared CWE-340

Affected Assets

chorny
apache\
\

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-340

Controlled key-establishment processes produce unpredictable key values instead of values derived from observable or guessable state.

References