CVE-2026-39894
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtool_function_update() can corrupt RRDtool metric values. The rrdtool_function_update() function checks metric values with is_numeric() and concatenates them into the RRDtool update command via PHP string interpolation. PHP's string cast of floats is locale-sensitive: if LC_NUMERIC uses comma as decimal separator (e.g., de_DE), a value of 1.5 becomes "1,5". RRDtool expects . as decimal separator, causing metric data to shift into wrong columns or be silently dropped. No setlocale() reset is present in the update path. This causes a data integrity issue, but is not remotely exploitable; it requires server locale misconfiguration. The issue has been fixed in version 1.2.31.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-39894
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cacti cacti to 1.2.31 (exc)
cacti cacti 1.2.31
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-474 The code uses a function that has inconsistent implementations across operating systems and versions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Cacti versions 1.2.30 and below, where the function rrdtool_function_update() improperly handles locale-dependent decimal formatting. Specifically, when the server's locale uses a comma as the decimal separator (such as in de_DE), PHP converts float values like 1.5 into the string "1,5". However, RRDtool expects a period as the decimal separator. Because of this mismatch, metric data can be shifted into incorrect columns or silently dropped, causing data corruption.

The issue arises because the function uses PHP string interpolation without resetting the locale, and it only checks if values are numeric without correcting the decimal format. This leads to a data integrity problem but is not remotely exploitable and requires server locale misconfiguration.

The vulnerability was fixed in Cacti version 1.2.31.

Impact Analysis

This vulnerability can impact you by causing corruption of RRDtool metric values in Cacti. Specifically, metric data may be shifted into wrong columns or silently dropped due to incorrect decimal formatting caused by locale settings.

As a result, the performance and fault management data collected and reported by Cacti may be inaccurate or incomplete, potentially leading to incorrect monitoring insights or decisions.

However, this issue is not remotely exploitable and requires a server locale misconfiguration to occur.

Detection Guidance

This vulnerability arises from locale-dependent decimal formatting in the rrdtool_function_update() function in Cacti versions 1.2.30 and below. Detection involves verifying if the server locale is misconfigured to use a comma as the decimal separator (e.g., de_DE) which causes metric corruption.

You can check the current locale settings on your server by running the command:

  • locale | grep LC_NUMERIC

If LC_NUMERIC is set to a locale that uses a comma as the decimal separator, such as de_DE, this indicates potential exposure to the vulnerability.

Additionally, reviewing Cacti version can be done by checking the installed version:

  • cacti -v

If the version is 1.2.30 or below and the locale is misconfigured, the system is vulnerable.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Cacti to version 1.2.31 or later where the issue has been fixed.

Alternatively, ensure that the server locale LC_NUMERIC is set to use a decimal point (.) as the decimal separator rather than a comma (,). This can be done by setting the locale to en_US or another suitable locale.

  • Set the locale temporarily in the shell with: export LC_NUMERIC=en_US.UTF-8
  • Or configure the system locale permanently to use a dot as decimal separator.

These steps prevent the locale-dependent decimal formatting issue that corrupts RRDtool metric values.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39894. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart