{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5088", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-03-28T19:31:47.729Z", "datePublished": "2026-04-15T07:03:13.742Z", "dateUpdated": "2026-04-15T17:24:20.860Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Apache2-API", "product": "Apache::API::Password", "programFiles": ["lib/Apache2/API.pm"], "programRoutines": [{"name": "Apache2::API::Password::_make_salt"}, {"name": "Apache2::API::Password::_make_salt_bcrypt"}], "repo": "https://gitlab.com/jackdeguest/Apache2-API", "vendor": "JDEGUEST", "versions": [{"lessThanOrEqual": "v0.5.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts.\n\nThe _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function.\n\nThe rand function is unsuitable for cryptographic use.\n\nThese salts are used for password hashing."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-04-15T07:03:13.742Z"}, "references": [{"tags": ["release-notes"], "url": "https://metacpan.org/release/JDEGUEST/Apache2-API-v0.5.3/changes"}, {"tags": ["related"], "url": "https://metacpan.org/release/JDEGUEST/Apache2-API-v0.5.2/view/lib/Apache2/API/Password.pod"}, {"tags": ["technical-description"], "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"}, {"url": "https://metacpan.org/pod/Crypt::URandom"}], "solutions": [{"lang": "en", "value": "Upgrade to version v0.5.3 or later, and install Crypt::URandom."}], "source": {"discovery": "UNKNOWN"}, "title": "Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts", "workarounds": [{"lang": "en", "value": "Install Crypt::URandom."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/15/4"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/15/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-15T17:24:20.860Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts.\n\nThe _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function.\n\nThe rand function is unsuitable for cryptographic use.\n\nThese salts are used for password hashing."}], "id": "CVE-2026-5088", "lastModified": "2026-04-15T18:17:24.520", "metrics": {}, "published": "2026-04-15T08:16:16.790", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/pod/Crypt::URandom"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/release/JDEGUEST/Apache2-API-v0.5.2/view/lib/Apache2/API/Password.pod"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/release/JDEGUEST/Apache2-API-v0.5.3/changes"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/15/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/15/5"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v0.5.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Apache::API::Password", "source": "cna", "vendor": "JDEGUEST"}, "product": "apache::api::password", "vendor": "jdeguest"}], "analysis": {"en": {"generated_at": "2026-04-15T08:20:35.775567+00:00", "value": {"mitigation_remediation": ["Upgrade Apache::API::Password to version 0.5.3 or later, which implements secure random salt generation.", "Install Crypt::URandom to provide a strong cryptographic random source for the module.", "If an immediate upgrade is not possible, use Crypt::URandom as a temporary workaround to improve salt randomness."], "summary": {"action": "Patch", "impact": "Weak password hashing due to insecure salts"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the JDEGUEST Apache::API::Password library, versions through 0.5.2 and earlier. Systems that use these versions for password hashing \u2013 such as Perl web applications that depend on this module \u2013 are impacted. No other vendor products are listed as affected in the CNA data.", "description_and_impact": "The Apache::API::Password module generates random salts for password hashing. If the modules Crypt::URandom or Bytes::Random::Secure are unavailable, the code falls back to Perl's built\u2011in rand function, which is unsuitable for cryptographic use. Salts generated in this manner are predictable and weaken the security of the stored password hashes, making it easier for an attacker to perform offline brute\u2011force or rainbow\u2011table attacks on compromised credentials.", "risk_and_exploitability": "No EPSS score is reported and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating no confirmed active exploitation at this time. However, the weakness directly compromises the confidentiality of stored passwords, a high\u2011impact asset. If an attacker obtains a password database, the predictable salts significantly reduce the effort required for offline cracking. The likely attack vector is a compromised system or a credential dump, and the weakness is exploitable by any party with access to hashed passwords or the application source that uses the vulnerable library."}}}}, "created": "2026-04-15T13:49:14.867362+00:00", "updated": "2026-04-15T14:53:28.013076+00:00", "vendors": ["jdeguest", "jdeguest$PRODUCT$apache::api::password"]}