CVE Catalog

CVE-2026-4631

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
14.20%

96th percentile — higher than 96% of all known CVEs

Summary

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

Risk Assessment

The organization is at risk of remote code execution on the Cockpit server without valid credentials, potentially leading to full system compromise and lateral movement within the network.

Recommendation

Immediately update Cockpit to a version that includes a fix validating input in the remote login feature. Until the update is applied, restrict network access to the Cockpit web interface to trusted IP addresses only.

Original NVD description (English source)

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS