CVE-2026-40083 in Cacti
Summary
by MITRE • 06/26/2026
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assigns $selected_items by calling cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The cacti_unserialize() function calls unserialize() with allowed_classes set to false, which prevents object injection but still allows arbitrary string arrays to be deserialized. Then, at lines 760 to 766, the deserialized array values are passed directly into db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . implode(',', $selected_items) . ')'), where they are imploded into the SQL statement without any integer validation, resulting in SQL Injection when using SNMP agent management permissions. This issue has been fixed in version 1.2.31.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability identified in Cacti versions 1.2.30 and prior represents a critical SQL injection flaw that stems from improper input sanitization within the managers.php file. This issue occurs when administrators attempt to delete SNMP agent managers through the web interface, creating a pathway for malicious actors to execute arbitrary database commands. The vulnerability specifically manifests at line 756 where the application processes user-supplied data through cacti_unserialize() function, which despite setting allowed_classes to false, fails to prevent dangerous array deserialization that can be exploited by attackers to manipulate database queries.
The technical exploitation of this vulnerability begins with the unsanitized processing of the selected_graphs_array parameter through the gnrv() function, followed by stripslashes() and cacti_unserialize() operations. While the cacti_unserialize() function correctly prevents object injection by setting allowed_classes to false, it does not adequately validate the content of serialized arrays containing string values. The subsequent implementation at lines 760-766 directly incorporates these unvalidated array elements into a database DELETE statement without proper integer validation or escaping mechanisms. This direct insertion of user-controllable data into SQL queries through implode() creates an environment where attackers can inject malicious SQL fragments that bypass normal security controls.
The operational impact of this vulnerability extends beyond simple data manipulation, as it provides attackers with the ability to perform unauthorized database operations including data deletion, modification, and potential information disclosure. Attackers with SNMP agent management permissions can leverage this flaw to compromise the integrity of the Cacti monitoring system, potentially leading to service disruption, unauthorized access to performance data, or even complete system compromise depending on database configuration and privileges. The vulnerability affects the core functionality of Cacti's SNMP agent management capabilities, making it particularly dangerous for network administrators who rely on proper access controls for system security.
Security mitigation strategies should focus on immediate patching to version 1.2.31 which addresses this specific issue through proper input validation and sanitization procedures. Organizations should also implement additional defensive measures including database query parameterization, input validation at multiple layers, and principle of least privilege enforcement for SNMP agent management functions. The vulnerability aligns with CWE-89 SQL Injection and follows patterns consistent with ATT&CK technique T1078 Valid Accounts, as it requires legitimate SNMP management permissions to exploit effectively. Network segmentation and monitoring of database access patterns should be implemented to detect potential exploitation attempts, while regular security assessments should verify that similar input handling vulnerabilities do not exist in other parts of the application codebase.