CVE-2026-40082

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session regenerate id() after login, leading to Session Fixation. session regenerate id() is NOT called after successful login. The login flow at auth login.php:203-207 directly sets $ SESSION[SESS USER ID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31.