{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/cockpit-cms/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-57856"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cockpit CMS"],"_cs_severities":["high"],"_cs_tags":["path-traversal","privilege-escalation","data-exfiltration","api-abuse"],"_cs_type":"advisory","_cs_vendors":["Cockpit CMS"],"content_html":"\u003cp\u003eA critical path traversal vulnerability, tracked as CVE-2026-57856, has been identified in the Cockpit CMS Bucket file storage API, specifically within the \u003ccode\u003e/system/buckets/api\u003c/code\u003e endpoint. This flaw stems from inadequate sanitization of the \u003ccode\u003ebucket\u003c/code\u003e name by the \u003ccode\u003eapi()\u003c/code\u003e method in \u003ccode\u003emodules/System/Controller/Buckets.php\u003c/code\u003e, which fails to correctly strip '..' and '../' sequences. When this unsafely sanitized bucket name is interpolated into a Flysystem path as \u003ccode\u003euploads://buckets/{bucket}\u003c/code\u003e, the Flysystem \u003ccode\u003eWhitespacePathNormalizer\u003c/code\u003e resolves \u003ccode\u003ebuckets/..\u003c/code\u003e to the storage root. This bypass allows an authenticated low-privileged user to craft requests that grant unauthorized listing, uploading, and deletion of files across all buckets within the CMS, including those belonging to other users or administrative roles, posing a significant risk of data exfiltration, integrity compromise, and potential privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated low-privileged user gains access to the Cockpit CMS application.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the vulnerable Bucket file storage API located at the \u003ccode\u003e/system/buckets/api\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request to this API, embedding a path traversal sequence such as \u003ccode\u003e../\u003c/code\u003e or its URL-encoded equivalent \u003ccode\u003e..%2f\u003c/code\u003e within the supplied bucket name parameter.\u003c/li\u003e\n\u003cli\u003eThe server-side \u003ccode\u003eapi()\u003c/code\u003e method within \u003ccode\u003emodules/System/Controller/Buckets.php\u003c/code\u003e receives the crafted request, attempting to sanitize the bucket name.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epreg_replace('/[^a-zA-Z0-9-_\\\\.]/','', $bucket)\u003c/code\u003e sanitization function fails to neutralize the \u003ccode\u003e../\u003c/code\u003e sequences, leaving them intact.\u003c/li\u003e\n\u003cli\u003eThe incompletely sanitized bucket name is then used to construct an internal Flysystem path, resulting in a URI-like string such as \u003ccode\u003euploads://buckets/{bucket_with_traversal_sequences}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFlysystem's \u003ccode\u003eWhitespacePathNormalizer\u003c/code\u003e processes this path, inadvertently resolving the \u003ccode\u003ebuckets/..\u003c/code\u003e segment to the root of the storage system, effectively bypassing intended access restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform unauthorized operations, including listing, uploading, and deleting files, across any bucket within the Cockpit CMS environment, potentially leading to data theft or compromise of the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-57856 allows an authenticated, low-privileged user to gain unauthorized access and control over all file storage buckets in the Cockpit CMS instance. This includes the ability to list the contents of any bucket, upload arbitrary files, and delete existing files, regardless of ownership or assigned user roles. This could lead to severe data integrity issues, unauthorized data exfiltration of sensitive information, or even remote code execution if malicious files are uploaded and subsequently executed by the server. The broad access afforded to a low-privileged user significantly elevates the risk profile for organizations utilizing Cockpit CMS, potentially exposing all stored data to compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-57856 on all Cockpit CMS instances immediately to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect CVE-2026-57856 Exploitation - Cockpit CMS Path Traversal\u003c/code\u003e Sigma rule to your SIEM to detect attempts at exploiting the \u003ccode\u003e/system/buckets/api\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server logging for the \u003ccode\u003ewebserver\u003c/code\u003e category, capturing \u003ccode\u003ecs-uri-stem\u003c/code\u003e, \u003ccode\u003ecs-uri-query\u003c/code\u003e, and \u003ccode\u003ecs-method\u003c/code\u003e, to ensure the log source for the detection rule is available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T23:18:59Z","date_published":"2026-07-13T23:18:59Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cockpit-cms-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-57856) exists in the Bucket file storage API of Cockpit CMS, allowing authenticated low-privileged users to exploit a flaw in bucket name sanitization to access, upload, or delete files across all buckets by using crafted '..' sequences.","title":"CVE-2026-57856 - Cockpit CMS Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-cockpit-cms-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Cockpit CMS","version":"https://jsonfeed.org/version/1.1"}