CVE-2026-4631

EUVD-2026-19814
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cockpit
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
cockpit
RHEL 9
0:344-2.el9_7
fixed
cockpit-bridge
RHEL 9
0:344-2.el9_7
fixed
cockpit-doc
RHEL 9
0:344-2.el9_7
fixed
cockpit-packagekit
RHEL 9
0:344-2.el9_7
fixed
cockpit-storaged
RHEL 9
0:344-2.el9_7
fixed
cockpit-system
RHEL 9
0:344-2.el9_7
fixed
cockpit-ws
RHEL 9
0:344-2.el9_7
fixed
cockpit-ws-selinux
RHEL 9
0:344-2.el9_7
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://access.redhat.com/errata/RHSA-2026:7381
https://access.redhat.com/errata/RHSA-2026:7382
https://access.redhat.com/errata/RHSA-2026:7383
https://access.redhat.com/errata/RHSA-2026:7384
https://access.redhat.com/security/cve/CVE-2026-4631
https://bugzilla.redhat.com/show_bug.cgi?id=2450246
http://www.openwall.com/lists/oss-security/2026/04/10/5