Critical Cacti Vulnerabilities Patched in 1.2.31

Four Critical Cacti Vulnerabilities Fixed in 1.2.31

Do Son June 30, 2026 2 minutes read

At a glance

Product: cacti
Vulnerabilities: 4 flaws (CVE-2026-39893, CVE-2026-39948, CVE-2026-39955, CVE-2026-39938)
Highest severity: 9.8 (Critical · CVSSv3)
Worst impact: Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php
Status: No confirmed exploitation yet
Action: Update Cacti to version 1.2.31 now!

CVE	CVSS	Type	Status
CVE-2026-39893	9.8	CWE-89	Not exploited
CVE-2026-39955	9.8	CWE-89	Not exploited
CVE-2026-39938	9.8	CWE-22	Not exploited
CVE-2026-39948	9.3	has SQL Injection via rfilter parameter in RLIKE clauses	Not exploited

TL;DR

Cacti fixed four critical flaws in version 1.2.31. Three allow pre-authentication SQL injection, and one allows unauthenticated local file inclusion. All four score between 9.3 and 9.8.

Why It Matters

Cacti monitors networks and graphs time-series data across many servers. Admins often run it deep inside their infrastructure. Several of these Cacti vulnerabilities need no login at all. They work on installs that allow guest graph viewing. Therefore, an attacker can reach the database without any credentials. A monitoring tool also holds a wide view of the network, which makes it a useful target.

How the Attack Works

These Cacti vulnerabilities share a common root. Cacti builds SQL RLIKE clauses from the rfilter parameter without proper sanitizing. As a result, a crafted value injects arbitrary SQL through graph_view.php. CVE-2026-39893 and CVE-2026-39948 follow that same pattern. CVE-2026-39955 abuses an unanchored regex filter to slip past validation. The fourth bug, CVE-2026-39938, reads local files through the graph_theme path. SQL injection can expose or alter stored data, while the file read can leak server secrets. The published Cacti security advisories detail each flaw and its fix.

Affected Versions

All four flaws affect Cacti 1.2.30 and earlier. The team fixed them in the 1.2.31 release, which bundles a broader batch of security fixes.

Patch and Mitigation

Patch these Cacti vulnerabilities by upgrading to 1.2.31 as soon as you can. Until then, disable guest graph viewing to cut the pre-auth paths. Keep the Cacti console off the public internet, and place it behind a VPN or firewall. No public proof-of-concept and no in-the-wild exploitation have been confirmed. Still, pre-auth database access is serious, so move quickly.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Critical Alert 1 Active Exploit Detected Today

Leave a Reply Cancel reply