CVE-2026-5085

Solstice · Session (Perl distribution)

The Solstice::Session Perl module generates insecure, predictable session identifiers, allowing attackers to hijack user sessions and gain unauthorized access to systems.

Executive summary

The Solstice::Session module employs weak, predictable methods for generating session identifiers, which allows unauthenticated attackers to hijack active user sessions.

Vulnerability

The _generateSessionID and _generateID methods derive session identifiers from insufficient entropy sources, including epoch time, hash references, and a weak 16-bit rand() function. This lack of cryptographic randomness allows an attacker to guess valid session IDs without authentication.

Business impact

With a CVSS score of 9.1, this vulnerability poses a severe risk of unauthorized account takeover. An attacker successfully predicting session tokens can impersonate legitimate users, potentially accessing sensitive data or administrative functions, leading to significant reputational and operational damage.

Remediation

Immediate Action: Identify all applications utilizing the Solstice::Session library and assess the feasibility of migrating to a secure, modern session management framework.

Proactive Monitoring: Monitor logs for patterns of rapid, anomalous session ID generation or multiple successful logins originating from disparate IP addresses using the same session token.

Compensating Controls: Ensure that all sessions are strictly transmitted over HTTPS and employ additional session binding techniques, such as IP address or User-Agent pinning, to increase the difficulty of hijacking.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Because the vulnerability is embedded in the core logic of the library, simple configuration changes may not be sufficient. Organizations should plan to replace the vulnerable component or implement robust application-level session validation to mitigate the risk of account hijacking.