CVE-2026-5088 PUBLISHED

Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts

Assigner: CPANSec
Reserved: 28.03.2026 Published: 15.04.2026 Updated: 15.04.2026

Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts.

The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function.

The rand function is unsuitable for cryptographic use.

These salts are used for password hashing.

Product Status

Vendor	JDEGUEST
Product	Apache::API::Password
Versions	Default: unaffected affected from 0 to v0.5.2 (incl.)

Workarounds

Install Crypt::URandom.

Solutions

Upgrade to version v0.5.3 or later, and install Crypt::URandom.

References

https://metacpan.org/release/JDEGUEST/Apache2-API-v0.5.3/changes
https://metacpan.org/release/JDEGUEST/Apache2-API-v0.5.2/view/lib/Apache2/API/Password.pod
https://security.metacpan.org/docs/guides/random-data-for-security.html
https://metacpan.org/pod/Crypt::URandom

Problem Types

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator CWE