External risk intelligence

Cacti SQL Injection via Unsanitized Request Variable.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-39893

Cacti is commonly deployed as a network monitoring and management web application. Because this vulnerability is reachable pre-authentication when guest access is enabled—a common feature in monitoring dashboards—it is frequently exposed to the internet or accessible within wide internal network segments to facilitate visibility.

SQL Injection

Cacti

before 1.2.31

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in Cacti, an open-source performance monitoring framework. This issue allows unauthenticated attackers to potentially execute malicious commands by manipulating specific requests, posing a risk to system integrity and data. The primary concern is confirming if your Cacti installations are affected and, if so, to what extent.

  • Unauthenticated access can lead to unauthorized commands.
  • Critical for ensuring system integrity and data security.
  • Confirm relevance and exposure for monitoring systems.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted request to a Cacti installation. Since the vulnerability exists in a feature that supports guest access, an attacker does not need to authenticate. By manipulating a specific request variable, the attacker can inject malicious SQL code that can lead to unauthorized access and data manipulation.

  • No authentication required.
  • Manipulated request variable.
  • Full system compromise risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary SQL commands when guest user access is enabled. This could impact the integrity and availability of the Cacti system by potentially exposing or altering performance and fault management data.

  • System data and configuration at risk.
  • Via unauthenticated network requests.
  • Potential for data corruption or denial of service.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Cacti framework's SQL injection vulnerability requires immediate attention from teams managing the application and its underlying infrastructure. The first practical step is to inventory all Cacti installations, verify if guest access is enabled and if the affected endpoint is externally reachable, and identify the accountable system owner for each instance to prioritize remediation efforts.

  • Identify Cacti instances; confirm exposure.
  • Assign ownership for affected deployments.
  • Plan and execute risk-based remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Cacti?

Cacti is an open-source web application used for network performance and fault management. It helps administrators track system health by collecting data from devices and displaying it through graphical dashboards. Many organizations deploy it to monitor their internal infrastructure, often providing guest access to these dashboards so that team members can view performance metrics without needing to log in individually.

What kind of vulnerability is CVE-2026-39893?

This CVE represents a SQL Injection, classified as CWE-89. It occurs because the application takes input from a user request—specifically the 'rfilter' variable—and places it directly into a database command without proper sanitization. Because the database interprets this input as part of the instruction rather than just data, an attacker can manipulate the query to access, modify, or delete information within the system.

How does an attacker trigger this SQL injection?

An attacker triggers this flaw by sending a specially crafted network request to the Cacti server that includes malicious SQL code in the 'rfilter' variable. Crucially, this does not require a valid user account. The vulnerability is only reachable if the Cacti installation has guest-level viewing enabled, as this configuration allows the application to process the affected request without forcing the user to authenticate first.

Why should I care about this vulnerability?

According to Halo Surface Signal, this vulnerability is significant because Cacti is frequently hosted on network segments that are reachable by many users or directly exposed to the internet. If your instance allows guest access, you are at risk of unauthorized command execution. This could lead to the exposure of sensitive monitoring data or the corruption of the application database, even if the server is only on an internal network.

How do I fix or mitigate CVE-2026-39893?

The primary resolution is to update your Cacti software to version 1.2.31 or later, where this vulnerability has been corrected. Before applying the update, you should inventory all your Cacti installations to confirm which are active and whether guest access is enabled. If you cannot update immediately, consider restricting access to the affected web interface to trusted users or disabling guest access until the patch is applied.

References