CVE-2026-40079
Received Received - Intake
Command Injection in Cacti Performance Monitoring Framework

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Command Injection due to lack of sanitization in the escape_command() function. The escape_command() function at lib/rrd.php is a no-op: it returns $command unchanged. The command line built by rrdtool_function_graph() is passed through this function and then to shell_exec($full_commandline). The risk is in __rrd_execute() where text_format values from graph templates (which may contain host variable substitutions) reach shell_exec without adequate escaping. This issue has been addressed in version 1.2.31.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-40079
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cacti cacti to 1.2.31 (exc)
cacti cacti 1.2.31
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40079 is a command injection vulnerability in the Cacti software, specifically in the way it executes RRDtool commands. The root cause is the escape_command() function in lib/rrd.php, which is supposed to sanitize commands but instead returns them unchanged, allowing potentially malicious input to reach the shell_exec() function without proper escaping.

This vulnerability occurs when graph templates contain text format values with host variable substitutions that are passed through escape_command() and then executed by shell_exec(), enabling an attacker to inject arbitrary OS commands.

The issue affects Cacti versions 1.2.30 and earlier and has been fixed in version 1.2.31 by properly sanitizing or removing the vulnerable function and ensuring all command arguments are escaped.

Impact Analysis

This vulnerability can allow an attacker with access to graph templates or host variable inputs to execute arbitrary operating system commands on the server running Cacti.

Such command injection can lead to unauthorized access, data compromise, system disruption, or complete takeover of the affected system.

Because the vulnerability is exploitable remotely (network attack vector) and has a high severity score (CVSS 8.6), it poses a significant risk to the confidentiality, integrity, and availability of the system.

Detection Guidance

Detection of this vulnerability involves identifying if the vulnerable Cacti versions (1.2.30 and prior) are in use and if unescaped user-controlled input is reaching shell_exec() via the escape_command() function in lib/rrd.php.

Specifically, monitoring or auditing the command lines built by rrdtool_function_graph() for unescaped host variable substitutions can help detect exploitation attempts.

While no explicit commands are provided in the resources, general detection steps could include:

  • Checking the Cacti version installed to confirm if it is 1.2.30 or earlier.
  • Reviewing logs for unusual shell_exec() calls or command executions originating from Cacti processes.
  • Using system monitoring tools to detect unexpected command executions or network activity related to rrdtool invocations.
Mitigation Strategies

Immediate mitigation steps include upgrading Cacti to version 1.2.31 or later, where the vulnerability has been addressed.

If upgrading is not immediately possible, consider the following:

  • Replace or remove the no-op escape_command() function to ensure proper sanitization of commands.
  • Audit all values flowing into the command line to ensure they are properly escaped or sanitized.
  • Consider modifying the code to use a pipe path (fwrite) instead of shell invocation to avoid command injection risks.
Compliance Impact

The vulnerability in Cacti allows command injection due to improper sanitization of inputs passed to shell commands. This can lead to unauthorized command execution on the affected system.

Such a vulnerability can impact compliance with standards like GDPR and HIPAA because it may lead to unauthorized access or manipulation of sensitive data, violating data protection and privacy requirements.

Mitigations such as proper input sanitization, patching to version 1.2.31, and auditing command line inputs are necessary to reduce the risk and help maintain compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40079. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart