Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31.
Published: 2026-06-25
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a signature validation bypass in the Cacti package import function. It allows an attacker to install self‑signed packages that normally must be authenticated, potentially enabling arbitrary code execution or the deployment of malicious extensions. This flaw is classified as CWE‑347.

Affected Systems

Cacti 1.2.30 and earlier versions are affected. The issue is fixed in version 1.2.31 and later releases.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while no EPSS score is available and the vulnerability is not listed in CISA KEV. The bypass can be exploited through the web interface where users upload packages; an authenticated user with import rights can upload a malicious package that bypasses signature checks. The attack vector is likely the web application, requiring local or authenticated access to the import feature. The overall risk remains significant for environments that allow package imports from untrusted sources.

Generated by OpenCVE AI on June 26, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cacti to version 1.2.31 or later to apply the vendor patch that restores signature verification.
  • Restrict the package import feature to trusted administrators only, or disable it completely if it is not needed.
  • If immediate upgrade is not possible, review the application configuration to enforce strict signature checks for uploaded packages and roll back to a version that performs proper validation until the patch is applied.

Generated by OpenCVE AI on June 26, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31.
Title Cacti: Package Import Signature Validation Bypass Allows Self-Signed Packages
Weaknesses CWE-347
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T23:01:30.937Z

Reserved: 2026-04-15T20:40:15.518Z

Link: CVE-2026-40941

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T00:30:17Z

Weaknesses
  • CWE-347

    Improper Verification of Cryptographic Signature