CVE-2026-40082 in Cacti
Summary
by MITRE • 06/26/2026
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The login flow at auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/26/2026
Cacti represents a widely deployed open source network monitoring and performance management framework that serves organizations across various sectors including enterprise environments, government agencies, and service providers. The platform provides comprehensive infrastructure monitoring capabilities through its web-based interface, making it a critical component in IT operations management. Given its widespread adoption and the sensitive nature of the data it handles, security vulnerabilities within Cacti can have significant operational implications for organizations relying on its services. The framework's architecture includes authentication mechanisms that are essential for protecting access to monitoring data, system configurations, and administrative functions.
The core vulnerability stems from improper session management implementation within the authentication flow at auth_login.php file. Specifically, the code at lines 203-207 demonstrates a critical flaw where the application directly assigns the user identifier to the session variable $_SESSION[SESS_USER_ID] without executing the session_regenerate_id() function. This represents a fundamental failure in session security practices that allows attackers to exploit session fixation vulnerabilities. The technical implementation lacks proper session rotation mechanisms that should occur immediately after successful authentication to prevent attackers from maintaining access through previously established session identifiers.
The operational impact of this vulnerability extends beyond simple unauthorized access scenarios, as it creates persistent security risks that can be exploited through various attack vectors. Even though the session cookie configuration includes strong security attributes such as httponly=true, samesite=Strict, and secure=true for HTTPS connections, these measures provide only partial protection against session fixation attacks. The vulnerability is particularly concerning because it operates within the same-site context where attackers can leverage existing session tokens to maintain persistent access without requiring additional authentication credentials. This weakness allows adversaries to potentially hijack active user sessions, gaining unauthorized access to monitoring data, system configurations, and administrative controls.
This specific vulnerability aligns with CWE-384, which addresses session fixation issues in web applications, and represents a clear violation of the principle of least privilege and secure session management practices. The flaw also maps to ATT&CK technique T1563.002, which covers credentials from password reuse, as attackers can leverage fixed sessions to maintain access even if users change their passwords. Organizations using affected versions of Cacti face heightened risk of unauthorized access to critical infrastructure monitoring systems, potentially exposing sensitive network data and operational information. The vulnerability demonstrates a fundamental security oversight in the authentication flow that directly contradicts established secure coding practices and industry standards for web application security.
The remediation approach requires immediate upgrade to version 1.2.31 or later, which implements proper session regeneration after successful authentication. Organizations should conduct comprehensive security assessments of their Cacti deployments to identify any potential exploitation attempts, review access logs for suspicious activity, and ensure that all users are migrated to secure versions of the software. Additionally, implementing network monitoring controls and regular security audits can help detect and prevent exploitation attempts while maintaining continuous visibility into system access patterns and potential unauthorized activities.