CVE-2026-40082 - Vulnerability Details

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The login flow at auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cacti

cacti

affected

Version	Status	Constraints
`< 1.2.31`	affected	—

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

No data.

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/Cacti/cacti/commit/2fa404e70a5702be10682555911228e8e51ba198
https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31
https://github.com/Cacti/cacti/security/advisories/GHSA-273r-qr93-wgcp

History

Thu, 25 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The login flow at auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31.
Title		Cacti: Session Fixation via missing session_regenerate_id() after login
Weaknesses		CWE-384
References		https://github.com/Cacti/cacti/commit/2fa404e70a5702be10682555911228e8e51ba198 https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31 https://github.com/Cacti/cacti/security/advisories/GHSA-273r-qr93-wgcp
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-25T22:33:45.871Z

Updated: 2026-06-25T22:33:45.871Z

Reserved: 2026-04-09T00:39:12.205Z

Link: CVE-2026-40082

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T00:30:17Z

Weaknesses

CWE-384

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object