Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.
Published: 2026-06-24
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cacti, the performance and fault management platform, suffers from an unauthenticated local file inclusion flaw that can be abused to execute arbitrary code. The vulnerability stems from the graph_theme parameter and rrdtool inter-process communication serialization hardening across versions 1.2.30 and earlier. Through this flaw an attacker can read sensitive files, inject code, and ultimately gain full control over the affected server, compromising confidentiality, integrity, and availability of all hosted services.

Affected Systems

The affected product is the open‑source Cacti system. Versions through 1.2.30, inclusive, are vulnerable; the issue was addressed in version 1.2.31. Any deployment of Cacti within this version range is at risk, regardless of environment, as the flaw does not require any privileged user or additional software.

Risk and Exploitability

The CVSS score of 9.8 categorizes this as Critical, reflecting the ease of exploitation and severe impact. EPSS information is unavailable, so the likelihood of active exploitation is uncertain but cannot be discounted. The vulnerability is not listed in the CISA KEV catalog, yet its high severity and unauthenticated nature suggest it may be actively targeted by threat actors. The likely attack path involves sending a crafted request to the graph image rendering endpoint, using a malicious graph_theme value, thereby triggering the LFI and gaining execution on the server.

Generated by OpenCVE AI on June 24, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Cacti 1.2.31 or later to apply the vendor fix.
  • Until a patch can be applied, block unauthenticated access to the graph image generation endpoints using a firewall or access control rule to prevent the LFI vector from being exercised.
  • Ensure that all input parameters to graph generation are validated and that rrdtool IPC serialization hardening is enabled, to reduce the risk of similar flaws being introduced in the future.

Generated by OpenCVE AI on June 24, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.
Title Cacti: Unauthenticated RCE on Graph Image
Weaknesses CWE-22
CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T22:41:04.777Z

Reserved: 2026-04-07T22:40:33.820Z

Link: CVE-2026-39938

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T23:30:03Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')