Platform
perl
Component
apache2-api
Fixed in
0.5.3
CVE-2026-5088 is a vulnerability affecting versions 0.0.0 through 0.5.2 of the Apache::API::Password Perl module. This flaw allows the module to generate insecure random values for password salts when Crypt::URandom or Bytes::Random::Secure are unavailable, falling back to the insecure rand function. This can weaken password hashing and potentially compromise user credentials. Upgrade to version 0.5.3 to mitigate this risk.
The core impact of CVE-2026-5088 lies in the compromised randomness used for password salting. Salts are crucial for preventing rainbow table attacks and ensuring that even if passwords are compromised, they cannot be easily cracked. Using Perl’s rand function, which is not cryptographically secure, significantly weakens the password hashing process. An attacker who gains access to the password database could potentially crack passwords much more easily, leading to unauthorized access to sensitive user data and systems. This vulnerability is particularly concerning in applications that rely heavily on password authentication and store user credentials.
CVE-2026-5088 was publicly disclosed on 2026-04-15. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The probability of exploitation is currently considered low, but the potential impact is significant if exploited.
Exploit Status
EPSS
0.05% (14% percentile)
The primary mitigation for CVE-2026-5088 is to upgrade to version 0.5.3 of the Apache::API::Password module. This version includes a fix that ensures the use of cryptographically secure random number generators. If upgrading is not immediately feasible, consider implementing a temporary workaround by ensuring that both Crypt::URandom and Bytes::Random::Secure are installed on the system where the module is used. While not a complete fix, this prevents the fallback to rand. Monitor system logs for any unusual activity related to password authentication. After upgrading, verify the fix by testing password hashing functionality and confirming that secure random number generators are being used.
Update to version 0.5.3 or later of Apache::API::Password. This version corrects the generation of insecure random values for password salts, using cryptographically secure methods instead of Perl's `rand` function.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5088 is a vulnerability in Apache::API::Password versions 0.0.0–0.5.2 that allows the generation of insecure salts for password hashing due to a fallback to Perl's rand function when cryptographically secure modules are unavailable.
You are affected if you are using Apache::API::Password versions 0.0.0 through 0.5.2 and do not have both Crypt::URandom and Bytes::Random::Secure installed.
Upgrade to version 0.5.3 of Apache::API::Password. Ensure that Crypt::URandom and Bytes::Random::Secure are installed if an immediate upgrade is not possible.
There are currently no known public exploits or confirmed active exploitation campaigns targeting CVE-2026-5088.
Refer to the relevant Perl module documentation and security advisories for updates and further information regarding CVE-2026-5088.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.