How is CVE-2026-39893 exploited?

Network reachability (required): The vulnerable endpoint is served over HTTP/HTTPS, so the attacker must be able to reach the Cacti server across the network. Authentication (not-required): The graph_view.php endpoint supports unauthenticated guest access, so no credentials of any kind are needed to trigger the injection. Victim interaction (not-required): The attacker sends a crafted HTTP request directly to the server; no user action or social engineering is involved. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific conditions to succeed.

What is the impact of CVE-2026-39893?

Reads any data stored in the Cacti database, including device credentials, user password hashes, and poller configuration. Modifies or deletes persisted database rows, allowing an attacker to alter monitoring targets, user accounts, or configuration records. Depending on database user privileges, writes to the filesystem via SQL outfile operations, potentially enabling remote code execution. Disrupts the monitoring service by truncating or corrupting critical tables, causing Cacti to stop collecting or displaying performance data.

Back to search

CRITICALCVE-2026-39893Published 2026-06-24Modified 2026-06-24CNA GitHub_M

CVE-2026-39893: Cacti: Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Pre-authentication SQL injection in Cacti affects versions 1.2.30 and prior via the rfilter request variable in graph_view.php. The endpoint is reachable over the network without any credentials because Cacti supports guest access for graph viewing, meaning an attacker only needs HTTP access to the server. Successful exploitation gives the attacker full read, write, and delete access to the underlying database. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-39893 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including internally built images that package Cacti. Any image containing an affected version of cacti (1.2.30 or earlier) will surface in scan results automatically.

Available

Triage

Triage is available with the CVSS v3.1 score of 9.8 (Critical) pre-applied, and per-environment compliance policy weighting can further adjust severity thresholds to match each customer organization's risk posture. Findings are routable to the appropriate team inbox within each customer org based on policy configuration.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 1.2.31 or a later fix is released upstream. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is served over HTTP/HTTPS, so the attacker must be able to reach the Cacti server across the network.
AuthenticationNot required
The graph_view.php endpoint supports unauthenticated guest access, so no credentials of any kind are needed to trigger the injection.
Victim interactionNot required
The attacker sends a crafted HTTP request directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific conditions to succeed.

Blast Radius

Reads any data stored in the Cacti database, including device credentials, user password hashes, and poller configuration.
Modifies or deletes persisted database rows, allowing an attacker to alter monitoring targets, user accounts, or configuration records.
Depending on database user privileges, writes to the filesystem via SQL outfile operations, potentially enabling remote code execution.
Disrupts the monitoring service by truncating or corrupting critical tables, causing Cacti to stop collecting or displaying performance data.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-39893 exists at this time, the platform monitors the advisory on every ingest cycle and will make a patched-image rebuild available the moment Cacti 1.2.31 is published upstream. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads without manual intervention. In the interim, compensating controls available within HarborGuard policy configuration include network-policy isolation to restrict inbound HTTP access to Cacti instances, egress filtering to limit database-tier exposure, and flagging any image running an affected Cacti version as a policy violation to block promotion to production. Customers should also review whether guest access is strictly required on their Cacti installs, as disabling it removes the pre-authentication attack surface while a fix is pending.

See how HarborGuard automates this

Affected packages

Cacti / cacti
< 1.2.31

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified