Cacti SQL Injection vulnerability in lib/api_automation.php caused by reading dirty data stored in database

An attacker with administrator privileges for Automation can POST dirty data to `automation_tree_rules.php`, injecting a malicious payload into the `field` column of the `automation_match_rule_items` table [ref_id=1]. Later, when an administrator triggers `host.php?action=actions&drp_action=6` or a similar action in `graphs.php`, the stored payload is read and concatenated into an SQL query without sanitization, causing SQL injection [ref_id=1]. This secondary injection can then be used to insert rows into `plugin_hooks` and `plugin_config`, which are subsequently read by `api_plugin_hook()` to construct a file‑include path, enabling arbitrary file reading and, via log poisoning, remote code execution [ref_id=2].

The vulnerability resides in `automation_tree_rules.php` where data is stored without thorough validation, and in the `create_all_header_nodes()` function in `lib/api_automation.php` where that stored data is concatenated directly into an SQL statement [ref_id=1]. A secondary SQL injection path through `lib/plugin.php`'s `api_plugin_hook()` function enables file inclusion leading to RCE [ref_id=2].

Version 1.2.27 contains a patch that addresses the SQL injection by properly sanitizing or parameterizing the data read from the `automation_tree_rule_items` table before it is used in SQL concatenation [ref_id=1]. The patch also likely addresses the file‑inclusion issue in `lib/plugin.php` to prevent the chained attack [ref_id=2]. Without the patch, an attacker can leverage the stored dirty data to execute arbitrary SQL and subsequently achieve file inclusion and remote code execution.