Description
Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.
Published: 2026-06-24
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cacti, an open source performance monitoring platform, was vulnerable in releases 1.2.30 and earlier to a pre‑authentication SQL injection. The flaw existed when the rfilter request variable was concatenated directly into a RLIKE SQL clause without sanitization, allowing an attacker to inject arbitrary SQL and manipulate the database. The injection could be used to exfiltrate data or modify configuration settings, and depending on the database back‑end and permissions, may lead to further system compromise. The weakness is represented by CWE‑89.

Affected Systems

All installations running Cacti version 1.2.30 or earlier are affected. The issue is exploitable on environments where guest viewing of graphs is enabled because graph_view.php does not require authentication. Users should check their running version and ensure that guest access is disabled if they cannot upgrade immediately.

Risk and Exploitability

The CVSS score of 9.8 reflects a critical severity. Because the endpoint is reachable without authentication, the likelihood of exploitation is high in unprotected setups. The vulnerability is not listed in CISA’s KEV, and EPSS is not available, but the lack of authentication requirement and the severity indicate that attackers can easily discover and exploit the flaw. The exploit path requires only reading the graph_view.php URL, providing a rfilter parameter, and the vulnerability will allow arbitrary SQL execution.

Generated by OpenCVE AI on June 24, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cacti to version 1.2.31 or later, which contains the patch that sanitizes the rfilter input.
  • If an upgrade cannot be performed immediately, disable guest access to graph views so that only authenticated users can view graphs, effectively removing the unauthenticated entry point used by the injection.
  • As a temporary containment measure, restrict network access to the Cacti instance or place it behind a firewall so that only trusted administrators can reach graph_view.php until the fix is applied.

Generated by OpenCVE AI on June 24, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.
Title Cacti: Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T21:45:34.948Z

Reserved: 2026-04-07T20:32:03.011Z

Link: CVE-2026-39893

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T23:30:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')