How is CVE-2026-39938 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Cacti service on its listening port from a remote host. Authentication (not-required): No account or session token is needed; the vulnerable code path is reachable by any unauthenticated HTTP request. Victim interaction (not-required): Exploitation is fully server-side and requires no action from any logged-in user or administrator. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or environmental prerequisites.

What is the impact of CVE-2026-39938?

An attacker achieves remote code execution and can run arbitrary commands as the Cacti process user on the host. All data readable by that process, including stored credentials, API keys, and monitored device configurations, is exposed. An attacker can write or overwrite files accessible to the process, including Cacti configuration files and web-accessible scripts. The Cacti service and any co-located processes can be crashed or rendered unavailable.

Back to search

CRITICALCVE-2026-39938Published 2026-06-24Modified 2026-06-24CNA GitHub_M

CVE-2026-39938: Cacti: Unauthenticated RCE on Graph Image

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated remote code execution vulnerability exists in Cacti, an open source performance and fault management framework, affecting versions 1.2.30 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, arising from a local file inclusion weakness in graph_theme combined with insufficient hardening of rrdtool IPC serialization. Successful exploitation gives an attacker full read, write, and execution capability on the host running Cacti. Note: the description states this was resolved in version 1.2.31, but no fix version has been formally published in the advisory record; HarborGuard is tracking the advisory for confirmed patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Cacti, as they pass through scanning pipelines or sit in registered container registries.

Available

Triage

HarborGuard scores this issue at CVSS 9.8 Critical and is capable of weighting it further against each environment's compliance policy, then routing the finding to the inbox or ticketing integration configured for that customer organization.

Available

Patch

Because no fix version has been formally confirmed in the advisory record, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment a confirmed upstream fix is published. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Cacti service on its listening port from a remote host.
AuthenticationNot required
No account or session token is needed; the vulnerable code path is reachable by any unauthenticated HTTP request.
Victim interactionNot required
Exploitation is fully server-side and requires no action from any logged-in user or administrator.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or environmental prerequisites.

Blast Radius

An attacker achieves remote code execution and can run arbitrary commands as the Cacti process user on the host.
All data readable by that process, including stored credentials, API keys, and monitored device configurations, is exposed.
An attacker can write or overwrite files accessible to the process, including Cacti configuration files and web-accessible scripts.
The Cacti service and any co-located processes can be crashed or rendered unavailable.

How HarborGuard Handles This

Available on HarborGuard: because no formally confirmed fix version exists yet, the platform monitors the upstream advisory on every ingest cycle and will surface a patched-image rebuild the moment the fix is published. In the meantime, customers can apply compensating controls using HarborGuard network-policy recommendations: isolating Cacti containers behind an internal-only ingress, restricting egress from the Cacti pod to only required polling targets, and gating the graph_theme parameter at an edge proxy or WAF rule if operationally feasible. When a confirmed fix does ship, customers with auto-remediation enabled will receive a rebuilt image at the patched version, an automated regression-test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

Cacti / cacti
< 1.2.31

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified