Skip to content
Threat Feed
critical advisory PoC updated

Cockpit Remote Login Command Injection (CVE-2026-4631)

CVE-2026-4631 allows remote attackers to execute arbitrary code on a Cockpit host by injecting malicious SSH options via a crafted HTTP request to the login endpoint due to insufficient input validation of user-supplied hostnames and usernames.

What's new

  • l2 poc_available; OS linux Jul 12, 09:01 via sploitus

Cockpit is a web-based interface for system administration. CVE-2026-4631 affects the remote login functionality in Cockpit. Specifically, the vulnerability exists because the application fails to properly sanitize or validate user-supplied input for hostnames and usernames when initiating SSH connections. This allows an attacker with network access to the Cockpit web service to inject arbitrary SSH options or shell commands into the SSH command executed by the Cockpit server. No authentication is required to exploit this vulnerability, as the injection occurs before any credential verification. The vulnerability was published on 2026-04-07 and has a CVSS v3.1 base score of 9.8, indicating its critical severity. Successful exploitation leads to arbitrary code execution on the Cockpit host.

Attack Chain

  1. Attacker identifies a Cockpit instance accessible over the network.
  2. Attacker crafts a malicious HTTP request to the Cockpit login endpoint (typically /cockpit/login).
  3. The crafted request includes a hostname or username containing injected SSH options or shell commands (e.g., -o ProxyCommand=evil.sh).
  4. Cockpit's backend processes the request and constructs an SSH command using the unsanitized input.
  5. The injected SSH options or commands are executed by the ssh command on the Cockpit server.
  6. If the injected content is a shell command, it executes with the privileges of the Cockpit process.
  7. The attacker gains arbitrary code execution on the Cockpit host.
  8. The attacker can then perform further actions such as installing malware, creating new user accounts, or exfiltrating sensitive data.

Impact

Successful exploitation of CVE-2026-4631 allows an unauthenticated attacker to achieve remote code execution on the Cockpit host. The impact is severe, potentially leading to full system compromise. Given the role of Cockpit in system administration, a compromised host could allow attackers to gain control over other systems managed through the Cockpit interface. The number of victims will depend on the prevalence of vulnerable Cockpit instances exposed to the network.

Recommendation

  • Apply the patch or upgrade to a version of Cockpit that addresses CVE-2026-4631 to remediate the vulnerability.
  • Deploy the Sigma rule Detect Suspicious Cockpit Login Attempts to identify exploitation attempts by monitoring for specific HTTP request patterns.
  • Implement strict input validation and sanitization on the Cockpit login endpoint to prevent command injection.
  • Monitor webserver logs for unusual requests to the /cockpit/login endpoint (logsource: webserver).
  • Review and harden the configuration of SSH clients used by Cockpit.

Detection coverage 2

Detect Suspicious Cockpit Login Attempts

critical

Detects attempts to exploit CVE-2026-4631 by identifying unusual characters or commands in the cs-uri-query field of web server logs when accessing the /cockpit/login endpoint.

sigma tactics: execution techniques: T1219 sources: webserver, linux

Detect Suspicious SSH Options in Cockpit Login

high

Detects attempts to use dangerous SSH options like ProxyCommand in Cockpit logins, potentially indicating CVE-2026-4631 exploitation.

sigma tactics: execution techniques: T1219 sources: webserver, linux

Detection queries are available on the platform. Get full rules →

Indicators of compromise

2

url

TypeValue
urlhttps://sploitus.com/exploit?id=B4423B41-80EB-54A0-8CBA-39356C37524C
urlhttps://github.com/ExDev994/CVE-2026-4631-cockpit-RCE.git