Signature Validation Bypass in Cacti Performance Management Framework
CVE-2026-40941

7.1HIGH

Key Information:

Vendor

Cacti

Status
Cacti
Vendor
CVE Published:
25 June 2026

What is CVE-2026-40941?

Cacti, an open-source performance and fault management framework, is affected by a vulnerability that allows for a bypass of package import signature validation. This flaw permits the installation of self-signed packages, which could compromise the integrity and security of the system. The issue has been addressed in version 1.2.31, emphasizing the importance of upgrading to maintain secure operations. Administrators using versions 1.2.30 and earlier should prioritize updating to the latest version to mitigate potential risks.

Affected Version(s)

cacti < 1.2.31

References

https://github.com/Cacti/cacti/security/advisories/GHSA-2...
x_refsource_CONFIRM
https://github.com/Cacti/cacti/pull/7054
x_refsource_MISC
https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.