Home / Vulnerability Intelligence / CVE-2026-5081

CVE-2026-5081 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: May 6, 2026

Apache::Session::Generate::ModUniqueId - Broken Authentication

Published: May 6, 2026Updated: May 6, 2026Remote Exploitable

Overview

Apache::Session::Generate::ModUniqueId 1.54 through 1.94 contains an insecure session id generation caused by use of predictable UNIQUE_ID environment variable, letting attackers guess session ids, exploit requires no special conditions.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Attackers can predict session ids, potentially leading to session hijacking or impersonation.

Mitigation

Update to the latest version that uses secure session id generation.

References

https://httpd.apache.org/docs/current/mod/mod_unique_id.html
https://metacpan.org/pod/Apache::Session::Generate::Random
http://www.openwall.com/lists/oss-security/2026/05/06/6

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-5081
Severity: Critical
CVSS Score: 9.1
Type: broken_authentication
Status: new

CWE

CWE-340

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N