{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cockpit/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-4631"}],"_cs_exploited":false,"_cs_has_poc":true,"_cs_poc_references":["https://sploitus.com/exploit?id=B4423B41-80EB-54A0-8CBA-39356C37524C\u0026utm_source=rss\u0026utm_medium=rss"],"_cs_products":["Cockpit (327 – 359)"],"_cs_severities":["critical"],"_cs_tags":["cockpit","rce","command-injection","CVE-2026-4631","linux"],"_cs_type":"advisory","_cs_vendors":["Cockpit"],"content_html":"\u003cp\u003eCockpit is a web-based interface for system administration. CVE-2026-4631 affects the remote login functionality in Cockpit. Specifically, the vulnerability exists because the application fails to properly sanitize or validate user-supplied input for hostnames and usernames when initiating SSH connections. This allows an attacker with network access to the Cockpit web service to inject arbitrary SSH options or shell commands into the SSH command executed by the Cockpit server. No authentication is required to exploit this vulnerability, as the injection occurs before any credential verification. The vulnerability was published on 2026-04-07 and has a CVSS v3.1 base score of 9.8, indicating its critical severity. Successful exploitation leads to arbitrary code execution on the Cockpit host.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Cockpit instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request to the Cockpit login endpoint (typically \u003ccode\u003e/cockpit/login\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a hostname or username containing injected SSH options or shell commands (e.g., \u003ccode\u003e-o ProxyCommand=evil.sh\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eCockpit's backend processes the request and constructs an SSH command using the unsanitized input.\u003c/li\u003e\n\u003cli\u003eThe injected SSH options or commands are executed by the \u003ccode\u003essh\u003c/code\u003e command on the Cockpit server.\u003c/li\u003e\n\u003cli\u003eIf the injected content is a shell command, it executes with the privileges of the Cockpit process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the Cockpit host.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform further actions such as installing malware, creating new user accounts, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4631 allows an unauthenticated attacker to achieve remote code execution on the Cockpit host. The impact is severe, potentially leading to full system compromise. Given the role of Cockpit in system administration, a compromised host could allow attackers to gain control over other systems managed through the Cockpit interface. The number of victims will depend on the prevalence of vulnerable Cockpit instances exposed to the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Cockpit that addresses CVE-2026-4631 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Cockpit Login Attempts\u003c/code\u003e to identify exploitation attempts by monitoring for specific HTTP request patterns.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on the Cockpit login endpoint to prevent command injection.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for unusual requests to the \u003ccode\u003e/cockpit/login\u003c/code\u003e endpoint (logsource: webserver).\u003c/li\u003e\n\u003cli\u003eReview and harden the configuration of SSH clients used by Cockpit.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T09:01:04Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-cockpit-rce/","summary":"CVE-2026-4631 allows remote attackers to execute arbitrary code on a Cockpit host by injecting malicious SSH options via a crafted HTTP request to the login endpoint due to insufficient input validation of user-supplied hostnames and usernames.","title":"Cockpit Remote Login Command Injection (CVE-2026-4631)","url":"https://feed.craftedsignal.io/briefs/2024-01-30-cockpit-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Cockpit","version":"https://jsonfeed.org/version/1.1"}