Session Fixation Risk in Cacti Performance Management Framework
CVE-2026-40082

5.4MEDIUM

Key Information:

Vendor

Cacti

Status
Cacti
Vendor
CVE Published:
25 June 2026

What is CVE-2026-40082?

Cacti, an open source performance and fault management framework, has a vulnerability in its session management process. Versions 1.2.30 and earlier do not call the session_regenerate_id() function after a user successfully logs in, which can expose users to session fixation attacks. This oversight allows an attacker to hijack a user session by predicting or reusing session IDs. Although Cacti implements secure cookie settings, these do not mitigate the risks associated with the missed session ID rotation after authentication. This issue has been addressed in Cacti version 1.2.31.

Affected Version(s)

cacti < 1.2.31

References

https://github.com/Cacti/cacti/security/advisories/GHSA-2...
x_refsource_CONFIRM
https://github.com/Cacti/cacti/commit/2fa404e70a5702be106...
x_refsource_MISC
https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.