Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing sessionregenerateid() after login, leading to Session Fixation. sessionregenerateid() is NOT called after successful login. The login flow at authlogin.php:203-207 directly sets $SESSION[SESSUSERID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40082.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-384"
]
}{
"cpe": "cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*",
"source": [
"CPE_RANGE",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.2.31"
}
]
}