How is CVE-2026-39955 exploited?

Network reachability (required): The vulnerable endpoint in graph_view.php is exposed over the network, so an attacker must be able to reach the Cacti service via HTTP/HTTPS from any network location. Authentication (not-required): Exploitation requires no account or session cookie; the injection point is reachable before any login step. Victim interaction (not-required): No user action is needed; the attacker sends a crafted request directly to the server without involving any logged-in user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and repeatable with no dependency on race conditions, memory layout, or other variable environmental factors.

What is the impact of CVE-2026-39955?

An attacker can read all data stored in the Cacti database, including device credentials, poller configurations, and any other persisted records. An attacker can insert, modify, or delete database rows, corrupting monitoring data or altering device configuration stored in Cacti. Depending on the database user's filesystem privileges (for example, FILE privilege in MySQL), an attacker may be able to write arbitrary files to the server, enabling remote code execution. The Cacti service itself may be disrupted if an attacker drops tables or corrupts critical configuration data.

Back to search

CRITICALCVE-2026-39955Published 2026-06-24Modified 2026-06-24CNA GitHub_M

CVE-2026-39955: Cacti has Pre-Authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have pre-authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php. This issue has been fixed in version 1.2.31.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a pre-authentication SQL injection vulnerability in Cacti, an open source performance and fault management framework, affecting versions 1.2.30 and earlier. The flaw is reachable over the network and requires no login, because the regular expression used to validate input in graph_view.php is unanchored, allowing attackers to smuggle SQL syntax through the validation check. Successful exploitation gives an attacker full read, write, and delete access to the underlying database, and may enable remote code execution depending on database permissions. HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-39955 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Cacti. Any image containing a Cacti version below 1.2.31 will surface as affected in the scan results.

Available

Triage

HarborGuard scores this CVE at 9.8 Critical (CVSS v3.1) and weights that score against each customer environment's compliance policy to determine urgency and routing. Triage findings are delivered to the inbox configured for the relevant team within each customer organization, with no manual filtering step required.

Available

Patch

Because no fix version has been published upstream yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Cacti releases a corrected package. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention once the upstream fix lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint in graph_view.php is exposed over the network, so an attacker must be able to reach the Cacti service via HTTP/HTTPS from any network location.
AuthenticationNot required
Exploitation requires no account or session cookie; the injection point is reachable before any login step.
Victim interactionNot required
No user action is needed; the attacker sends a crafted request directly to the server without involving any logged-in user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and repeatable with no dependency on race conditions, memory layout, or other variable environmental factors.

Blast Radius

An attacker can read all data stored in the Cacti database, including device credentials, poller configurations, and any other persisted records.
An attacker can insert, modify, or delete database rows, corrupting monitoring data or altering device configuration stored in Cacti.
Depending on the database user's filesystem privileges (for example, FILE privilege in MySQL), an attacker may be able to write arbitrary files to the server, enabling remote code execution.
The Cacti service itself may be disrupted if an attacker drops tables or corrupts critical configuration data.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet for CVE-2026-39955, the platform monitors the Cacti advisory on every ingest cycle and will trigger a patched-image rebuild automatically once version 1.2.31 or later is released. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against any affected workloads. While waiting for an upstream patch, consider compensating controls: apply a network policy that restricts inbound access to the Cacti web interface to trusted IP ranges only, enable egress filtering to limit what the Cacti host can reach if the database user holds elevated filesystem privileges, and review whether the Cacti database account's permissions can be reduced to the minimum required (removing FILE privilege where possible). HarborGuard will surface the patched rebuild and re-score affected images as soon as the upstream advisory is resolved.

See how HarborGuard automates this

Affected packages

Cacti / cacti
< 1.2.31

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified