CVE-2026-39894 - Vulnerability Details

Description

Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtool_function_update() can corrupt RRDtool metric values. The rrdtool_function_update() function checks metric values with is_numeric() and concatenates them into the RRDtool update command via PHP string interpolation. PHP's string cast of floats is locale-sensitive: if LC_NUMERIC uses comma as decimal separator (e.g., de_DE), a value of 1.5 becomes "1,5". RRDtool expects . as decimal separator, causing metric data to shift into wrong columns or be silently dropped. No setlocale() reset is present in the update path. This causes a data integrity issue, but is not remotely exploitable; it requires server locale misconfiguration. The issue has been fixed in version 1.2.31.

Published: 2026-06-24

Score: 2.9 Low

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Locale-sensitive decimal formatting in the rrdtool_function_update() of Cacti versions 1.2.30 and earlier can corrupt RRDtool metric values. The function checks values with is_numeric() and then interpolates them into the RRDtool update command. PHP casts floating numbers according to the LC_NUMERIC locale; when the locale uses a comma as the decimal separator (for example, de_DE), a value of 1.5 becomes the string "1,5". RRDtool expects a dot as the decimal separator, so the metric data may be shifted into wrong columns or silently dropped. This defect results in data integrity problems but is not remotely exploitable and requires a server configured with a non-standard LC_NUMERIC locale. The weakness is represented by CWE‑474.

Affected Systems

Affected products include the Cacti performance and fault management framework. Versions 1.2.30 and earlier are vulnerable; the issue was fixed in Cacti 1.2.31.

Risk and Exploitability

The CVSS score is 2.9, indicating low severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the bug only manifests when the server locale is configured to use a comma decimal separator, the attack vector is local system configuration rather than remote exploitation. The risk is primarily a data integrity concern for monitoring dashboards and historical data analysis.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cacti

cacti

affected

Version	Status	Constraints
`< 1.2.31`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Cacti to version 1.2.31 or later.
Restart RRDtool and the Cacti web service to apply the update.
Configure the server's LC_NUMERIC locale to use '.' as the decimal separator to prevent future data corruption.

Generated by OpenCVE AI on June 24, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Cacti/cacti/commit/d2a698854956e9e4e53da9eab5b5719ae40e6893
https://github.com/Cacti/cacti/issues/7011
https://github.com/Cacti/cacti/security/advisories/GHSA-23g4-vf2j-94w4

History

Wed, 24 Jun 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtool_function_update() can corrupt RRDtool metric values. The rrdtool_function_update() function checks metric values with is_numeric() and concatenates them into the RRDtool update command via PHP string interpolation. PHP's string cast of floats is locale-sensitive: if LC_NUMERIC uses comma as decimal separator (e.g., de_DE), a value of 1.5 becomes "1,5". RRDtool expects . as decimal separator, causing metric data to shift into wrong columns or be silently dropped. No setlocale() reset is present in the update path. This causes a data integrity issue, but is not remotely exploitable; it requires server locale misconfiguration. The issue has been fixed in version 1.2.31.
Title		Cacti: RRDtool metric shift via LC_NUMERIC locale comma decimal formatting
Weaknesses		CWE-474
References		https://github.com/Cacti/cacti/commit/d2a698854956e9e4e53da9eab5b5719ae40e6893 https://github.com/Cacti/cacti/issues/7011 https://github.com/Cacti/cacti/security/advisories/GHSA-23g4-vf2j-94w4
Metrics		cvssV3_1 `{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-24T21:55:49.857Z

Updated: 2026-06-24T21:55:49.857Z

Reserved: 2026-04-07T20:32:03.011Z

Link: CVE-2026-39894

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T23:30:03Z

Weaknesses

CWE-474
Use of Function with Inconsistent Implementations

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object