SQL Injection vulnerability in automation_get_new_graphs_sql
Description
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in automation_get_new_graphs_sql function of api_automation.php allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In api_automation.php line 856, the get_request_var('filter') is being concatenated into the SQL statement without any sanitization. In api_automation.php line 717, The filter of 'filter' is FILTER_DEFAULT, which means there is no filter for it. Version 1.2.27 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13<1.2.27+ 1 more
- (no CPE)range: <1.2.27
- (no CPE)range: < 1.2.27
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP6pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP6
< 1.2.27-bp155.2.9.1+ 10 more
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-1.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization on the `filter` parameter allows SQL injection in `api_automation.php`."
Attack vector
An authenticated attacker crafts a malicious `filter` parameter in the HTTP request to `automation_graph_rules.php`. The payload is injected into the SQL query without sanitization [ref_id=1]. By appending SQL control characters (e.g., `%22);select sleep(10)--+`), the attacker can manipulate the query to execute arbitrary SQL commands, enabling privilege escalation and remote code execution [CWE-89].
Affected code
The vulnerability resides in `api_automation.php`, specifically in the `automation_get_new_graphs_sql` function. At line 856, the return value of `get_request_var('filter')` is concatenated directly into a SQL statement via `build_graph_object_sql_having($rule, get_request_var('filter'))`. The input filter for `'filter'` is set to `FILTER_DEFAULT` (line 717), meaning no sanitization is applied.
What the fix does
Version 1.2.27 applies a patch that sanitizes the `filter` input before it is used in the SQL query. The advisory does not show the exact diff, but the fix ensures the `filter` parameter is properly escaped or parameterized, preventing SQL injection.
Preconditions
- authThe attacker must be an authenticated user of the Cacti application.
- inputThe attacker must have access to the `automation_graph_rules.php` endpoint with a valid rule ID.
Generated on Jun 14, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.phpmitrex_refsource_MISC
- github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.phpmitrex_refsource_MISC
- github.com/Cacti/cacti/commit/fd93c6e47651958b77c3bbe6a01fff695f81e886mitrex_refsource_MISC
- github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pccmitrex_refsource_CONFIRM
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/mitre
News mentions
0No linked articles in our index yet.