CVE-2026-2439 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: February 17, 2026
Overview
Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications.
Severity & Score
Social Media Activity(6 posts)
⚠️ CVE-2026-2439 (CRITICAL) in BVA Concierge::Sessions 0.8.1 – 0.8.4: Predictable session IDs due to weak randomness let attackers hijack sessions. Upgrade ASAP or use secure RNG for session IDs. https://radar.offseq.com/threat/cve-2026-2439-cwe-340-generation-of-predictable-nu-8847b5d6 #OffSeq #CVE20262439 #infosec #vuln
View original post
🔴 CVE-2026-2439 - Critical (9.8) Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's bu... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-2439/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post🔴 CVE-2026-2439 - Critical (9.8) Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's bu... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-2439/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
⚠️ CVE-2026-2439 (CRITICAL) in BVA Concierge::Sessions 0.8.1 – 0.8.4: Predictable session IDs due to weak randomness let attackers hijack sessions. Upgrade ASAP or use secure RNG for session IDs. https://radar.offseq.com/threat/cve-2026-2439-cwe-340-generation-of-predictable-nu-8847b5d6 #OffSeq #CVE20262439 #infosec #vuln
View original post
🔴 CVE-2026-2439 - Critical (9.8) Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's bu... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-2439/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post🔴 CVE-2026-2439 - Critical (9.8) Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's bu... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-2439/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-2439
- Severity
- Critical
- CVSS Score
- 9.8
- EPSS
- 1.8%
- Social Posts
- 6