Medium severity5.3NVD Advisory· Published Apr 8, 2026· Updated Apr 23, 2026

CVE-2026-5083

Description

Ado::Sessions versions through 0.935 for Perl generates insecure session ids.

The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Predicable session ids could allow an attacker to gain access to systems.

Note that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN.

Affected products

Berov/Ado\
cpe:2.3:a:berov:ado\:\:sessions:*:*:*:*:*:perl:*:*
Range: <=0.935

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.metacpan.org/docs/guides/random-data-for-security.htmlnvdThird Party Advisory
www.openwall.com/lists/oss-security/2026/04/08/7nvdMailing List
backpan.perl.org/authors/id/B/BE/BEROV/Ado-0.935.tar.gznvdProduct
github.com/kberov/Ado/issues/112nvdIssue Tracking

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000