Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly. An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil.com after login. The pre-existing validate_redirect_url() helper at lib/html_utility.php performed proper validation but was not invoked from auth_login_redirect(). This issue has been fixed in version 1.2.31.
Published: 2026-06-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cacti 1.2.30 and earlier contains an open‑redirect flaw in the login redirect logic. When the login option is set to redirect to the HTTP_REFERER after successful authentication, the code uses a simple substring check against the configured Cacti path rather than a full host validation. An attacker can set a referer such as https://evil.com/cacti/; because the substring '/cacti/' is present, the redirect logic treats the URL as internal and sends the authenticated user to the malicious site, enabling phishing, credential theft, or other social‑engineering attacks.

Affected Systems

The vulnerability affects the open source performance and fault management framework Cacti, specifically versions 1.2.30 and all earlier releases. The issue was fixed in version 1.2.31, which implements proper host validation for redirects.

Risk and Exploitability

The flaw carries a CVSS score of 6.1, indicating moderate severity. Although an EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the attack path is straightforward: an attacker who can influence the HTTP_REFERER header of a logged‑in user can redirect that user to an arbitrary external site. The potential impact on confidentiality, integrity, or availability is limited to credential compromise or defacement via phishing, but the ease of exploitation and the possibility of mass targeting of users elevate the overall risk to a moderate level.

Generated by OpenCVE AI on June 25, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cacti to version 1.2.31 or newer to apply the vendor patch.
  • If an upgrade cannot be performed immediately, disable the login redirect option by setting login_opts to a value that does not use the HTTP_REFERER (for example, 0 or a value that always redirects to a fixed internal page).
  • As a temporary safeguard, configure the web server or reverse proxy in front of Cacti to strip or replace the HTTP_REFERER header before it reaches the application, preventing the redirect logic from acting on malicious values.

Generated by OpenCVE AI on June 25, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Cacti
Cacti cacti
Vendors & Products Cacti
Cacti cacti

Thu, 25 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly. An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil.com after login. The pre-existing validate_redirect_url() helper at lib/html_utility.php performed proper validation but was not invoked from auth_login_redirect(). This issue has been fixed in version 1.2.31.
Title Cacti: Open Redirect via HTTP_REFERER substring check in auth_login_redirect
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Cacti Cacti
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T14:09:20.592Z

Reserved: 2026-04-09T00:39:12.205Z

Link: CVE-2026-40080

cve-icon Vulnrichment

Updated: 2026-06-26T14:06:49.864Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T03:15:16Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')