CVE-2026-40082
Received Received - Intake
Session Fixation in Cacti Open Source Monitoring Framework

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The login flow at auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-40082
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cacti cacti to 1.2.31 (exc)
cacti cacti 1.2.31
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Cacti versions 1.2.30 and earlier, where the application does not call session_regenerate_id() after a user logs in successfully. Specifically, the login process directly sets the session user ID without rotating the session ID, which leads to a session fixation issue.

Session fixation allows an attacker to fixate a user's session ID before login, enabling them to hijack the user's authenticated session after login.

Although the session cookie settings are configured securely (HttpOnly, SameSite=Strict, Secure for HTTPS), these settings do not prevent session fixation attacks via same-site vectors.

This issue was fixed in Cacti version 1.2.31 by ensuring session_regenerate_id() is called after login.

Impact Analysis

This vulnerability can allow an attacker to hijack a legitimate user's session by fixing the session ID before the user logs in.

As a result, the attacker can gain unauthorized access to the user's account and perform actions with the user's privileges.

The impact includes potential exposure of sensitive information and unauthorized changes within the Cacti performance and fault management framework.

Mitigation Strategies

The vulnerability is caused by missing session_regenerate_id() calls after login in Cacti versions 1.2.30 and prior, which leads to session fixation.

To mitigate this vulnerability immediately, upgrade Cacti to version 1.2.31 or later where this issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40082. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart