CVE-2019-16723
Description
In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9- Cacti/Cactidescription
- Range: <=1.2.6
- osv-coords7 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP1
< 1.2.9-lp151.3.3.1+ 6 more
- (no CPE)range: < 1.2.9-lp151.3.3.1
- (no CPE)range: < 1.2.18-1.2
- (no CPE)range: < 1.2.9-lp151.3.3.1
- (no CPE)range: < 1.2.11-5.1
- (no CPE)range: < 1.2.9-bp151.4.3.1
- (no CPE)range: < 1.2.11-2.1
- (no CPE)range: < 1.2.9-bp151.4.3.1
Patches
Vulnerability mechanics
Root cause
"The graph_json.php script does not perform authorization checks for graph viewing based on user permissions."
Attack vector
An authenticated user can bypass authorization checks to view any graph by directly accessing the `graph_json.php` script. The attacker modifies the `local_graph_id` parameter in the URL to target a graph they do not have permission to view. The script then returns the graph data, which can be decoded into an image format, revealing the unauthorized graph [ref_id=1].
Affected code
The vulnerability lies within the `graph_json.php` script in Cacti. The researcher noted that while permission checks exist for other actions like tree node creation, there is a lack of specific permission checks for accessing graphs via this script [ref_id=1].
What the fix does
The patch is not provided in the bundle. The advisory indicates that Cacti versions through 1.2.6 are affected. The vendor has not published a specific fix or patch details, but the issue was addressed in later versions.
Preconditions
- authThe attacker must be an authenticated user.
- inputThe attacker needs to know or guess the `local_graph_id` of a graph they do not have permission to view.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZO3ROHHPKLH2JRW7ES5FYSQTWIPNVLQB/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZSCUUCKSYVZLN3PQE7NU76AFWUGT3E2D/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202003-40mitrevendor-advisoryx_refsource_GENTOO
- www.debian.org/security/2020/dsa-4604mitrevendor-advisoryx_refsource_DEBIAN
- github.com/Cacti/cacti/issues/2964mitrex_refsource_MISC
- seclists.org/bugtraq/2020/Jan/25mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.