CVE-2026-40080
Analyzed Analyzed - Analysis Complete

Open Redirect Vulnerability in Cacti Framework

Vulnerability report for CVE-2026-40080, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly. An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil.com after login. The pre-existing validate_redirect_url() helper at lib/html_utility.php performed proper validation but was not invoked from auth_login_redirect(). This issue has been fixed in version 1.2.31.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-29
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cacti cacti to 1.2.31 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to redirect users to malicious websites after login, which can lead to phishing attacks or other malicious activities.

Such open redirect vulnerabilities can potentially expose users to data theft or unauthorized access, which may impact compliance with standards like GDPR or HIPAA that require protection of user data and secure authentication processes.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Executive Summary

This vulnerability affects Cacti versions 1.2.30 and earlier. It is an Open Redirect issue caused by improper validation of the HTTP referer header during login redirection. Specifically, the code checks if the referer contains a certain substring (CACTI_PATH_URL) rather than verifying the host properly. An attacker can exploit this by crafting a malicious referer URL that includes the substring but points to an external site, causing users to be redirected to a malicious website after login.

Impact Analysis

This vulnerability can lead to users being redirected to malicious websites after logging in, which can facilitate phishing attacks or other social engineering exploits. It may cause users to unknowingly disclose sensitive information or credentials to attackers. The vulnerability has a CVSS base score of 6.1, indicating a medium severity with potential impacts on confidentiality and integrity.

Mitigation Strategies

The vulnerability is fixed in Cacti version 1.2.31. The immediate step to mitigate this vulnerability is to upgrade your Cacti installation to version 1.2.31 or later.

This update ensures that the proper validation function validate_redirect_url() is used to prevent open redirect attacks caused by improper substring checks on the HTTP referer header.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the Cacti login page that contain suspicious or malicious HTTP_REFERER headers. Specifically, look for referer URLs that include the Cacti path substring but originate from external or untrusted domains, such as URLs like https://evil.com/cacti/.

You can use network traffic inspection tools or web server logs to identify such requests.

Example commands to detect potentially malicious referer headers in web server logs (assuming Apache logs):

  • grep -i 'Referer: .*\/cacti\/' /var/log/apache2/access.log | grep -v 'your-cacti-domain.com'
  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Referer: .*\/cacti\/'

These commands search for HTTP_REFERER headers containing the Cacti path but exclude legitimate internal domains, helping to identify attempts to exploit the open redirect vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40080. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart