<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cockpit HQ - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/cockpit-hq/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 13 Jul 2026 23:18:01 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/cockpit-hq/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cockpit CMS Missing Authorization Vulnerability in Bucket File Storage API (CVE-2026-57855)</title><link>https://feed.craftedsignal.io/briefs/2026-07-cockpit-cms-auth-bypass/</link><pubDate>Mon, 13 Jul 2026 23:18:01 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cockpit-cms-auth-bypass/</guid><description>A missing authorization vulnerability, CVE-2026-57855, in the Cockpit CMS Bucket file storage API allows any authenticated user, regardless of their assigned role, to perform all file operations on any named bucket, including those designated for administrative use, potentially leading to privilege escalation, data manipulation, or data destruction.</description><content:encoded><![CDATA[<p>CVE-2026-57855 describes a critical missing authorization vulnerability within the Cockpit CMS Bucket file storage API. Specifically, the <code>api()</code> method located in <code>modules/System/Controller/Buckets.php</code> fails to implement proper Access Control List (ACL) or role-based checks before executing various bucket commands such as <code>ls</code>, <code>upload</code>, <code>removefiles</code>, <code>rename</code>, and <code>createfolder</code>. This flaw enables any authenticated user, even those with low privileges, to bypass intended security restrictions and perform arbitrary file operations on any named bucket, including sensitive administrative buckets. The vulnerability, discovered by VulnCheck, has a CVSS v3.1 base score of 8.8, indicating a high potential for impact. If exploited, an attacker could gain unauthorized access to data, manipulate website content, delete critical files, or potentially achieve remote code execution by uploading malicious scripts into web-accessible directories, thereby escalating their privileges within the CMS environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An adversary obtains valid but low-privileged credentials for a Cockpit CMS instance.</li>
<li>The adversary authenticates to the Cockpit CMS web interface or directly interacts with its API.</li>
<li>The adversary crafts an HTTP request targeting the <code>/system/buckets/api</code> endpoint.</li>
<li>The request includes a bucket operation command (e.g., <code>upload</code>, <code>removefiles</code>, <code>createfolder</code>) and specifies a target bucket, potentially an administrator-only bucket.</li>
<li>The <code>api()</code> method in <code>modules/System/Controller/Buckets.php</code> processes the request and executes the command.</li>
<li>Due to the missing authorization checks, the system fails to verify the user's role or permissions for the requested operation or target bucket.</li>
<li>The command is executed successfully, allowing the adversary to perform unauthorized actions such as uploading web shells, deleting critical site files, or modifying configuration data.</li>
<li>This leads to privilege escalation, data destruction, data manipulation, or potentially arbitrary code execution on the Cockpit CMS server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-57855 can lead to severe consequences for organizations utilizing Cockpit CMS. The primary impact is unauthorized access to and manipulation of sensitive data. Attackers can upload malicious files, leading to potential website defacement or arbitrary code execution if a web shell is deployed. Furthermore, adversaries can delete or rename critical system files, causing denial of service, data loss, or inhibiting system recovery. The vulnerability also facilitates privilege escalation, allowing low-privileged authenticated users to gain administrative capabilities, take full control of the CMS, and potentially pivot to other systems within the network. While no specific victim count or targeted sectors are provided, any organization running affected versions of Cockpit CMS is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch Cockpit CMS instances to version 2.14.0 or newer immediately to address CVE-2026-57855, as indicated by the fix in <code>https://github.com/Cockpit-HQ/Cockpit/commit/dde2d1d74f5f4e11de42a298918ea8c9684f932c</code>.</li>
<li>Implement robust monitoring of web server logs for suspicious activity directed at the <code>/system/buckets/api</code> endpoint, particularly for requests originating from low-privileged user accounts.</li>
<li>Monitor file system integrity and changes within Cockpit CMS installation directories and associated bucket storage locations for unauthorized file uploads, deletions, or modifications.</li>
<li>Regularly review user accounts and their assigned roles within Cockpit CMS to ensure the principle of least privilege is strictly enforced.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>web-application</category><category>cms</category><category>authorization-bypass</category><category>privilege-escalation</category></item></channel></rss>