Unauthenticated Database-Theft Flaw in Network Monitor Cacti (CVE-2026-39893) — Update to v1.2.31

Cacti, a standard tool for monitoring the state of servers and network equipment with graphs, has been found to contain a vulnerability (a software flaw) that can let an attacker steal the contents of the database from outside without any identity check (authentication). It is tracked as CVE-2026-39893, with a severity of 9.8 out of 10 (Critical), near the very top.

The affected versions are 1.2.30 and earlier. It was reported by GitHub and disclosed on June 24, 2026. The fix is included in 1.2.31. It is a technique called "SQL injection," sending a crafted string into an input field to manipulate the database, and on installations with guest viewing enabled it can be abused without a login, so an update is needed right away.

What kind of tool is Cacti?

Cacti is a monitoring tool that periodically gathers the traffic and load of devices—servers, routers, switches—and draws them into easy-to-read graphs. Because you can look back at "when, where, and how much load occurred," it has long been used to operate internal systems and data centers. It is published as open source and is a standard choice for administrators worldwide.

Cacti has a history of being attacked in the real world, and several of its vulnerabilities have been added to the U.S. agency CISA's "list of vulnerabilities under active attack." The fact that it is known to attackers as a "monitoring tool worth targeting" is a reason not to take this latest flaw lightly. We maintain a Japanese-language overview in our CISA KEV Dashboard (Japanese edition).

Who targets it, what they do, and what happens

The targets are servers running Cacti on the network, especially those with "guest viewing" (a setting that lets graphs be viewed without logging in) enabled. It is not unusual to enable this setting so anyone in the company can see the dashboards, and in that case an outside third party can meet the attack's precondition without a login.

What an attacker does is send a crafted string the database interprets as a command into an input field, making it read or operate on data that should not be permitted. Because Cacti's database holds information about monitored devices and user account information (including password hashes), a breach there spreads the damage.

If an attacker uses stolen account information as a foothold to get in as an administrator, it can lead to tampering with monitoring settings and further intrusion through Cacti's features. Monitoring tools are often connected to a wide swath of the internal network, so a small entry point tends to produce a large impact. Inspecting the components and services you bring in from outside is worth revisiting alongside the ideas in our OSS supply-chain scanner overview.

What the vulnerability is

SQL injection happens when a string sent to an input field is incorporated as-is into the command sent to the database. By mixing in symbols that hijack the flow of the command, an attacker can make a different query run than intended.

CVE-2026-39893: SQL injection from a filtering parameter (CVSS 9.8)

According to the published information, the request value "rfilter," used to filter graphs, was concatenated directly into a "RLIKE" SQL clause without being sanitized. As a result, by crafting the value, an attacker can run arbitrary database queries. The vulnerable endpoint is reachable before authentication on setups that allow guest viewing, so a login-free attack works—which is what pushes the severity to the top class (Cacti security advisories). In the fixed version 1.2.31, the handling of this value was reworked.

A quick check of whether you are affected

Affected are 1.2.30 and earlier, fixed in 1.2.31. It is especially dangerous with guest viewing enabled, since it can then be abused without authentication. You can check your version in the admin console.

Even with guest viewing disabled, it can be abused by users who can log in, so an update is needed in any case. Cacti exposed to the internet should act especially urgently.

What to do now

The top priority is to update Cacti to 1.2.31 or later. Get the latest version from the official releases.

If you cannot update immediately, useful mitigations are to temporarily disable guest viewing and avoid exposing Cacti directly to the internet, limiting connections to a trusted range such as the internal network. Also inspect for any added administrator accounts, suspicious logins, or suspicious changes to monitoring settings. If a takeover is suspected, reset user passwords and rotate the database credentials.

Summary

Cacti's CVE-2026-39893 is a vulnerability in which a filtering value was incorporated into the SQL command without being sanitized, allowing the database to be illicitly manipulated. On setups with guest viewing enabled it can be abused without authentication, with a severity of CVSS 9.8. It affects 1.2.30 and earlier and is fixed in 1.2.31.

Because Cacti is a monitoring tool that has been attacked in the real world before, the risk of leaving it unpatched is not small. If you run it, first check your version and, if it is old, update now. If new vulnerabilities concerning Cacti emerge, we will track them by adding to this article.

References

• ▸NVD - CVE-2026-39893 (Cacti unauthenticated SQL injection)
• ▸Cacti Security Advisories (GitHub, reporter)
• ▸GitHub - Cacti/cacti releases (1.2.31)
• ▸Cacti official site (product overview)
• ▸CISA KEV Dashboard (Japanese edition)