Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The login flow at auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31.
Published: 2026-06-25
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because the Cacti application fails to regenerate the session ID after a successful login, allowing an attacker to predefine or fix a session identifier and subsequently hijack a session. This flaw results in session fixation, where a compromised session cookie enables an attacker to impersonate a legitimate user and gain unauthorized access to monitoring and fault‑management data. The weakness is classified as CWE‑384, indicating that the session is not refreshed to prevent fixation.

Affected Systems

Cacti, the open‑source performance and fault‑management framework, is affected in all releases up to and including version 1.2.30. Version 1.2.31 introduces the fix by calling session_regenerate_id() after authentication. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate risk, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is same‑site, where an attacker must provide a valid session identifier to the target browser—either by tricking the user into visiting a URL that includes a prefixed session ID or by exploiting pre‑existing session cookies. Successful exploitation would allow session hijacking and unauthorized access with the same privileges as the compromised user.

Generated by OpenCVE AI on June 26, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cacti to version 1.2.31 or later, which restores session regeneration after login.
  • Verify that session_regenerate_id() is invoked during the login process and that the session ID changes on each successful authentication.
  • Ensure that secure session cookie attributes (HttpOnly, Secure, SameSite=Strict) remain enabled to mitigate other session‑related threats.

Generated by OpenCVE AI on June 26, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Cacti
Cacti cacti
Vendors & Products Cacti
Cacti cacti

Thu, 25 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The login flow at auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31.
Title Cacti: Session Fixation via missing session_regenerate_id() after login
Weaknesses CWE-384
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Cacti Cacti
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T22:33:45.871Z

Reserved: 2026-04-09T00:39:12.205Z

Link: CVE-2026-40082

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:00:06Z

Weaknesses