CVE Catalog

CVE-2026-40082

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

Cacti versions 1.2.30 and prior do not call session_regenerate_id() after successful login, allowing Session Fixation attacks. An attacker can fixate a session and hijack it after the victim logs in.

Risk Assessment

The risk is session hijacking of administrators or authenticated users, potentially leading to unauthorized access to monitored devices and performance management data.

Recommendation

Upgrade Cacti to version 1.2.31 or later immediately, which fixes the issue by regenerating the session ID after login.

Original NVD description (English source)

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The login flow at auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS