<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cockpit CMS - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/cockpit-cms/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 13 Jul 2026 23:18:59 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/cockpit-cms/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-57856 - Cockpit CMS Path Traversal Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-cockpit-cms-path-traversal/</link><pubDate>Mon, 13 Jul 2026 23:18:59 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cockpit-cms-path-traversal/</guid><description>A path traversal vulnerability (CVE-2026-57856) exists in the Bucket file storage API of Cockpit CMS, allowing authenticated low-privileged users to exploit a flaw in bucket name sanitization to access, upload, or delete files across all buckets by using crafted '..' sequences.</description><content:encoded><![CDATA[<p>A critical path traversal vulnerability, tracked as CVE-2026-57856, has been identified in the Cockpit CMS Bucket file storage API, specifically within the <code>/system/buckets/api</code> endpoint. This flaw stems from inadequate sanitization of the <code>bucket</code> name by the <code>api()</code> method in <code>modules/System/Controller/Buckets.php</code>, which fails to correctly strip '..' and '../' sequences. When this unsafely sanitized bucket name is interpolated into a Flysystem path as <code>uploads://buckets/{bucket}</code>, the Flysystem <code>WhitespacePathNormalizer</code> resolves <code>buckets/..</code> to the storage root. This bypass allows an authenticated low-privileged user to craft requests that grant unauthorized listing, uploading, and deletion of files across all buckets within the CMS, including those belonging to other users or administrative roles, posing a significant risk of data exfiltration, integrity compromise, and potential privilege escalation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated low-privileged user gains access to the Cockpit CMS application.</li>
<li>The attacker identifies the vulnerable Bucket file storage API located at the <code>/system/buckets/api</code> endpoint.</li>
<li>The attacker crafts an HTTP request to this API, embedding a path traversal sequence such as <code>../</code> or its URL-encoded equivalent <code>..%2f</code> within the supplied bucket name parameter.</li>
<li>The server-side <code>api()</code> method within <code>modules/System/Controller/Buckets.php</code> receives the crafted request, attempting to sanitize the bucket name.</li>
<li>The <code>preg_replace('/[^a-zA-Z0-9-_\\.]/','', $bucket)</code> sanitization function fails to neutralize the <code>../</code> sequences, leaving them intact.</li>
<li>The incompletely sanitized bucket name is then used to construct an internal Flysystem path, resulting in a URI-like string such as <code>uploads://buckets/{bucket_with_traversal_sequences}</code>.</li>
<li>Flysystem's <code>WhitespacePathNormalizer</code> processes this path, inadvertently resolving the <code>buckets/..</code> segment to the root of the storage system, effectively bypassing intended access restrictions.</li>
<li>The attacker can now perform unauthorized operations, including listing, uploading, and deleting files, across any bucket within the Cockpit CMS environment, potentially leading to data theft or compromise of the application.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-57856 allows an authenticated, low-privileged user to gain unauthorized access and control over all file storage buckets in the Cockpit CMS instance. This includes the ability to list the contents of any bucket, upload arbitrary files, and delete existing files, regardless of ownership or assigned user roles. This could lead to severe data integrity issues, unauthorized data exfiltration of sensitive information, or even remote code execution if malicious files are uploaded and subsequently executed by the server. The broad access afforded to a low-privileged user significantly elevates the risk profile for organizations utilizing Cockpit CMS, potentially exposing all stored data to compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-57856 on all Cockpit CMS instances immediately to prevent exploitation.</li>
<li>Deploy the <code>Detect CVE-2026-57856 Exploitation - Cockpit CMS Path Traversal</code> Sigma rule to your SIEM to detect attempts at exploiting the <code>/system/buckets/api</code> endpoint.</li>
<li>Enable comprehensive web server logging for the <code>webserver</code> category, capturing <code>cs-uri-stem</code>, <code>cs-uri-query</code>, and <code>cs-method</code>, to ensure the log source for the detection rule is available.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>path-traversal</category><category>privilege-escalation</category><category>data-exfiltration</category><category>api-abuse</category></item></channel></rss>