Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31.
Published: 2026-06-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a signature validation bypass in the Cacti package import function. It allows an attacker to install self‑signed packages that normally must be authenticated, potentially enabling arbitrary code execution or the deployment of malicious extensions. This flaw is classified as CWE‑347.

Affected Systems

Cacti 1.2.30 and earlier versions are affected. The issue is fixed in version 1.2.31 and later releases.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while no EPSS score is available and the vulnerability is not listed in CISA KEV. The bypass can be exploited through the web interface where users upload packages; an authenticated user with import rights can upload a malicious package that bypasses signature checks. The attack vector is likely the web application, requiring local or authenticated access to the import feature. The overall risk remains significant for environments that allow package imports from untrusted sources.

Generated by OpenCVE AI on June 26, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cacti to version 1.2.31 or later to apply the vendor patch that restores signature verification.
  • Restrict the package import feature to trusted administrators only, or disable it completely if it is not needed.
  • If immediate upgrade is not possible, review the application configuration to enforce strict signature checks for uploaded packages and roll back to a version that performs proper validation until the patch is applied.

Generated by OpenCVE AI on June 26, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Fri, 26 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Cacti
Cacti cacti
Vendors & Products Cacti
Cacti cacti

Thu, 25 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31.
Title Cacti: Package Import Signature Validation Bypass Allows Self-Signed Packages
Weaknesses CWE-347
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T14:57:48.522Z

Reserved: 2026-04-15T20:40:15.518Z

Link: CVE-2026-40941

cve-icon Vulnrichment

Updated: 2026-06-26T14:57:36.739Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T23:01:30Z

Links: CVE-2026-40941 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T03:30:06Z

Weaknesses
  • CWE-347

    Improper Verification of Cryptographic Signature