CVE-2026-40083 Cacti CVE debrief

Who should care

System administrators and security teams responsible for Cacti installations should be aware of this vulnerability. Given the high CVSS score of 7.2, this issue should be prioritized for immediate attention, especially in environments where SNMP agent management permissions are utilized. Users of Cacti versions 1.2.30 and prior are at risk and should take action to upgrade or apply mitigations.

Technical summary

The vulnerability is caused by the use of unsanitized unserialize and implode functions in managers.php at lines 756 to 766. The cacti_unserialize() function deserializes user-input data without proper validation, allowing for arbitrary string arrays to be deserialized. These deserialized array values are then passed directly into a SQL statement without integer validation, resulting in SQL injection. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating a high severity score.

Defensive priority

High priority should be given to upgrading Cacti to version 1.2.31 or later. In addition to upgrading, defenders should review Cacti logs for suspicious activity and ensure that input validation is properly implemented for SNMP agent management permissions.

Recommended defensive actions

• Upgrade Cacti to version 1.2.31 or later
• Review Cacti logs for suspicious activity related to SNMP agent management
• Ensure proper input validation for SNMP agent management permissions
• Monitor for any unusual database queries or errors
• Consider implementing additional security measures such as web application firewalls

Evidence notes

The CVE-2026-40083 vulnerability was made public on June 25, 2026, and has since been modified on June 29, 2026. The vulnerability affects Cacti versions 1.2.30 and prior. The CVSS score for this vulnerability is 7.2, indicating a high severity. The source item URL provides additional details about the vulnerability, including references to mitigation and vendor advisories.

Official resources