CVE-2026-40080
Received Received - Intake
Open Redirect Vulnerability in Cacti Framework

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly. An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil.com after login. The pre-existing validate_redirect_url() helper at lib/html_utility.php performed proper validation but was not invoked from auth_login_redirect(). This issue has been fixed in version 1.2.31.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-40080
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cacti cacti to 1.2.31 (exc)
cacti cacti 1.2.31
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Cacti versions 1.2.30 and earlier. It is an Open Redirect issue caused by improper validation of the HTTP referer header during login redirection. Specifically, the code checks if the referer contains a certain substring (CACTI_PATH_URL) rather than verifying the host properly. An attacker can exploit this by crafting a malicious referer URL that includes the substring but points to an external site, causing users to be redirected to a malicious website after login.

Impact Analysis

This vulnerability can lead to users being redirected to malicious websites after logging in, which can facilitate phishing attacks or other social engineering exploits. It may cause users to unknowingly disclose sensitive information or credentials to attackers. The vulnerability has a CVSS base score of 6.1, indicating a medium severity with potential impacts on confidentiality and integrity.

Mitigation Strategies

The vulnerability is fixed in Cacti version 1.2.31. The immediate step to mitigate this vulnerability is to upgrade your Cacti installation to version 1.2.31 or later.

This update ensures that the proper validation function validate_redirect_url() is used to prevent open redirect attacks caused by improper substring checks on the HTTP referer header.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40080. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart