CVE-2026-40082
Analyzed Analyzed - Analysis Complete

Session Fixation in Cacti Open Source Monitoring Framework

Vulnerability report for CVE-2026-40082, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The login flow at auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-29
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cacti cacti to 1.2.31 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Cacti versions 1.2.30 and earlier, where the application does not call session_regenerate_id() after a user logs in successfully. Specifically, the login process directly sets the session user ID without rotating the session ID, which leads to a session fixation issue.

Session fixation allows an attacker to fixate a user's session ID before login, enabling them to hijack the user's authenticated session after login.

Although the session cookie settings are configured securely (HttpOnly, SameSite=Strict, Secure for HTTPS), these settings do not prevent session fixation attacks via same-site vectors.

This issue was fixed in Cacti version 1.2.31 by ensuring session_regenerate_id() is called after login.

Detection Guidance

This vulnerability involves the absence of session_regenerate_id() after login in Cacti versions 1.2.30 and prior, leading to session fixation. Detection would involve verifying whether the session ID is regenerated upon successful login.

One way to detect this on your system is to monitor the session cookie before and after login to see if the session ID changes. If the session ID remains the same after login, the system is likely vulnerable.

You can use tools like curl or browser developer tools to inspect cookies during the login process.

  • Use curl to perform a login and capture cookies: curl -c cookies.txt -d 'username=youruser&password=yourpass' https://your-cacti-instance/auth_login.php
  • Use curl again to access a page after login and check if the session cookie value has changed: curl -b cookies.txt https://your-cacti-instance/some_authenticated_page.php -v

If the session ID cookie value before and after login is identical, the vulnerability is present.

Impact Analysis

This vulnerability can allow an attacker to hijack a legitimate user's session by fixing the session ID before the user logs in.

As a result, the attacker can gain unauthorized access to the user's account and perform actions with the user's privileges.

The impact includes potential exposure of sensitive information and unauthorized changes within the Cacti performance and fault management framework.

Compliance Impact

The vulnerability involves session fixation due to missing session ID regeneration after login, which can lead to unauthorized access or session hijacking.

Such security weaknesses can impact compliance with standards like GDPR and HIPAA, which require protecting user data and ensuring secure authentication mechanisms to prevent unauthorized access.

Failure to properly secure sessions may result in violations of these regulations' requirements for data confidentiality and integrity.

Mitigation Strategies

The vulnerability is caused by missing session_regenerate_id() calls after login in Cacti versions 1.2.30 and prior, which leads to session fixation.

To mitigate this vulnerability immediately, upgrade Cacti to version 1.2.31 or later where this issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40082. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart