Bug 2493259 (CVE-2026-40080) - CVE-2026-40080 cacti: open redirect via HTTP_REFERER substring check in auth_login_redirect
Summary: CVE-2026-40080 cacti: open redirect via HTTP_REFERER substring check in auth_...
Keywords:
Status: NEW
Alias: CVE-2026-40080
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2494749
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 23:01 UTC by OSIDB Bzimport
Modified: 2026-06-30 02:34 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 23:01:29 UTC
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly.  An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil.com after login. The pre-existing validate_redirect_url() helper at lib/html_utility.php performed proper validation but was not invoked from auth_login_redirect(). This issue has been fixed in version 1.2.31.


Note You need to log in before you can comment on or make changes to this bug.