External risk intelligence

Cacti SQL Injection Vulnerability Affecting Graph Viewing

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-39948

Cacti is a network monitoring and management application frequently deployed as a web-facing service. The vulnerability is reachable via graph_view.php, which is a common public-facing component of the application, and the exploit path is accessible pre-authentication when guest access is enabled, making it commonly reachable from the internet.

SQL Injection

Cacti

before 1.2.31

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the Cacti open-source monitoring framework, affecting its ability to manage and display performance data. This issue allows unauthenticated attackers to potentially compromise the confidentiality and integrity of the database. The main concern is confirming relevance and exposure of this technology within our environment.

  • A security flaw in Cacti could expose database information.
  • Cacti is used for network performance and fault management.
  • Confirm if Cacti is used and if guest access is enabled.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to a publicly accessible graph viewing page. This request targets a parameter that is improperly handled, allowing the attacker to inject malicious SQL code into database queries. If guest graph viewing is enabled, this attack can be performed without any prior authentication.

  • No authentication required.
  • Inject SQL via a graph parameter.
  • Compromise database confidentiality and integrity.

Live Threat

Current exploitation, exposure, and threat context

When installations have guest graph viewing enabled, an unauthenticated attacker could inject arbitrary SQL by exploiting how the `rfilter` request parameter is processed. This could affect the confidentiality, integrity, and availability of the associated database.

  • Database confidentiality and integrity.
  • SQL injection via graph viewing feature.
  • Data theft and system compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for Cacti, a widely used performance and fault management framework. The initial step is to locate all Cacti instances, assess their exposure and business criticality, identify the accountable owner, and then prioritize remediation based on the risk.

  • Identify Cacti instances and assess exposure.
  • Confirm asset owners and business criticality.
  • Plan remediation based on risk and maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Cacti and what is it used for?

Cacti is an open-source framework designed for network performance and fault management. It provides visual representations of data by polling network devices and services to track metrics like bandwidth usage and system health over time, serving as a centralized dashboard for IT administrators to monitor infrastructure status.

What kind of vulnerability is CVE-2026-39948?

This is a SQL injection vulnerability, specifically categorized as CWE-89. It occurs because the application improperly handles user input in a specific request parameter before including it in database queries. By providing a specially crafted input, an attacker can bypass intended security checks to execute unauthorized commands against the underlying database, potentially accessing or altering sensitive information.

How does an attacker trigger this vulnerability?

An attacker triggers the flaw by sending a manipulated request to the application's graph viewing component. The vulnerability is accessible pre-authentication only when guest graph viewing is explicitly enabled in the Cacti settings. Installations where this guest feature is disabled remain protected from this specific unauthenticated attack path.

Is my instance at risk according to Halo Surface Signal?

Halo Surface Signal indicates a higher likelihood of risk because Cacti is typically deployed as a web-facing service. Since the vulnerability is reachable through the graph_view.php page, instances exposed to the internet with guest access enabled are considered directly reachable by remote attackers.

What are the first steps to address this CVE?

The primary action is to identify all running instances of Cacti within your environment and verify their configuration settings, specifically whether guest graph viewing is active. Once identified, coordinate with the asset owners to update the software to version 1.2.31 or later, which contains the necessary security fixes for this flaw.

References