CVE-2026-40080 in Cacti
Summary
by MITRE • 06/26/2026
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly. An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil.com after login. The pre-existing validate_redirect_url() helper at lib/html_utility.php performed proper validation but was not invoked from auth_login_redirect(). This issue has been fixed in version 1.2.31.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability described represents a critical open redirect flaw in Cacti versions 1.2.30 and earlier, where the authentication redirect mechanism fails to properly validate the referer URL before executing redirects. This security weakness stems from the implementation of a substring check using str_contains($referer, CACTI_PATH_URL) instead of a proper host validation approach. The flaw exists specifically when users have their login_opts setting configured to '1', which enables redirection to the referring page after successful authentication. The technical implementation directly utilizes $_SERVER['HTTP_REFERER'] without adequate sanitization or validation, creating an avenue for malicious exploitation.
The operational impact of this vulnerability is significant as it allows attackers to craft malicious referer URLs that contain the legitimate Cacti path as a substring while pointing to external domains. For instance, when CACTI_PATH_URL is set to /cacti/, an attacker can construct a referer URL such as https://evil.com/cacti/ which will pass the substring validation check and result in redirection to the malicious domain after user authentication. This creates a dangerous scenario where authenticated users can be unknowingly redirected to phishing sites or malicious domains, potentially leading to credential theft, session hijacking, or further exploitation of the compromised system. The vulnerability effectively bypasses normal security controls by leveraging the legitimate redirect functionality.
Security researchers categorize this issue under CWE-601 as an open redirect vulnerability, where the application's redirect mechanism fails to validate that the target URL belongs to the same domain or is explicitly trusted. The flaw also aligns with ATT&CK technique T1566.001 for credential harvesting through phishing and social engineering attacks. The original codebase failed to invoke the existing validate_redirect_url() helper function located in lib/html_utility.php, which was designed to properly validate redirect URLs but remained unused in the auth_login_redirect() function. This represents a classic case of security controls being bypassed due to incomplete implementation or oversight rather than fundamental architectural flaws.
The fix implemented in version 1.2.31 addresses this vulnerability by ensuring that the proper validation function is invoked during the authentication redirect process. This remediation involves calling validate_redirect_url() from auth_login_redirect() instead of relying on the insecure substring matching approach. Organizations using affected versions should immediately upgrade to 1.2.31 or later to mitigate this risk, as the vulnerability can be exploited without user interaction beyond visiting a malicious page that triggers the authentication flow. System administrators should also monitor for any suspicious redirect patterns in their logs and consider implementing additional security measures such as host-based restrictions on redirect URLs to provide defense-in-depth against similar vulnerabilities.