CVE-2026-40941
Analyzed Analyzed - Analysis Complete

Package Import Signature Validation Bypass in Cacti

Vulnerability report for CVE-2026-40941, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-29
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cacti cacti to 1.2.31 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Cacti, an open source performance and fault management framework. Versions 1.2.30 and earlier have a flaw in the package import signature validation process that allows bypassing the validation. This means that self-signed packages, which normally might be rejected, can be accepted and imported due to this bypass.

The issue was fixed in version 1.2.31.

Impact Analysis

By allowing self-signed packages to be imported without proper signature validation, an attacker with limited privileges could potentially introduce malicious or unauthorized code into the Cacti system. This could lead to compromise of the system's integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade Cacti to version 1.2.31 or later, as this version contains the fix for the package import signature validation bypass that allows self-signed packages.

Compliance Impact

The vulnerability in Cacti allows self-signed packages to bypass signature validation, which represents an improper verification of cryptographic signatures (CWE-347). This security weakness could potentially lead to unauthorized code execution or tampering, increasing the risk of data breaches or system compromise.

Such risks may impact compliance with common standards and regulations like GDPR and HIPAA, which require adequate security controls to protect data integrity and confidentiality. Failure to properly validate package signatures could undermine trust in the software's security posture and lead to non-compliance if exploited.

However, the provided information does not explicitly detail the direct effects on compliance frameworks or specific regulatory requirements.

Detection Guidance

This vulnerability affects Cacti versions 1.2.30 and prior, where package import signature validation can be bypassed allowing self-signed packages. Detection primarily involves verifying the version of Cacti installed on your system.

To detect if your system is vulnerable, check the installed Cacti version. If it is 1.2.30 or earlier, your system is vulnerable.

You can check the Cacti version by running commands such as:

  • On the server hosting Cacti, run: `cacti -v` or check the version in the web interface under 'About' or 'System Information'.
  • Alternatively, check the version by inspecting the Cacti installation directory, for example: `cat /path/to/cacti/include/version.php` or similar files that contain version information.

Since the vulnerability involves package import signature validation bypass, monitoring for unexpected or self-signed package imports or unusual package installation activity in Cacti could also help detect exploitation attempts, though specific commands for this are not provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40941. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart