CVE-2026-4631
CriticalCVSS 9.8Exploitation Probability (EPSS)
Very high risk96th percentile — higher than 96% of all known CVEs
Summary
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
Risk Assessment
The organization is at risk of remote code execution on the Cockpit server without valid credentials, potentially leading to full system compromise and lateral movement within the network.
Recommendation
Immediately update Cockpit to a version that includes a fix validating input in the remote login feature. Until the update is applied, restrict network access to the Cockpit web interface to trusted IP addresses only.
Original NVD description (English source)
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

