Skip to main content

Openitcockpit CVE-2026-24893

| EUVDEUVD-2026-22703 HIGH
Improper Input Validation (CWE-20)
2026-04-14 GitHub_M
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Patch released
Apr 28, 2026 - 17:21 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:57 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5.5.2
Analysis Generated
Apr 14, 2026 - 22:39 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 21:16 euvd
EUVD-2026-22703
Analysis Generated
Apr 14, 2026 - 21:16 vuln.today
CVE Published
Apr 14, 2026 - 20:37 nvd
HIGH 8.8

DescriptionGitHub Advisory

openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS commands on the monitoring backend. The vulnerability arises because user-controlled host attributes (specifically the host address) are expanded into monitoring command templates without validation, escaping, or quoting. These templates are later executed by the monitoring engine (Nagios/Icinga) via a shell, resulting in remote code execution. Version 5.5.2 patches the issue.

AnalysisAI

Remote code execution in openITCOCKPIT Community Edition (versions prior to 5.5.2) allows authenticated users with host management permissions to execute arbitrary OS commands on the monitoring backend via command injection in host address fields. The vulnerability stems from unsanitized user input being expanded into Nagios/Icinga monitoring command templates and executed via shell, enabling full system compromise. CVSS score of 8.8 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed CVE.

Technical ContextAI

This vulnerability affects openITCOCKPIT, a web-based monitoring platform that interfaces with backend monitoring engines like Nagios and Icinga. The flaw (CWE-20: Improper Input Validation) occurs in the host configuration workflow where user-supplied host attributes-particularly the host address field-are incorporated into monitoring command templates without proper validation, escaping, or shell-safe quoting. When the monitoring engine executes these commands via a shell interpreter to perform health checks, the injected commands run with the privileges of the monitoring backend process. This represents a classic template injection scenario where the separation between data (host configuration) and code (monitoring commands) is violated, allowing authenticated users to break out of their intended privilege boundary and achieve remote code execution on the infrastructure monitoring system.

RemediationAI

Vendor-released patch: openITCOCKPIT version 5.5.2 fully remediates this vulnerability by implementing proper input validation, escaping, and quoting for host attributes used in command templates. Organizations should immediately upgrade to version 5.5.2 or later, available at https://github.com/openITCOCKPIT/openITCOCKPIT/releases/tag/openITCOCKPIT-5.5.2. Detailed upgrade guidance and release notes are published at https://openitcockpit.io/blog/posts/2026/2026-04-14-openitcockpit-agent-3.6.0-and-5.5.2. As a temporary mitigation for environments unable to immediately patch, restrict host configuration permissions to only highly trusted administrators, implement audit logging for all host modifications, and review existing host configurations for suspicious command syntax in address fields. No workaround fully eliminates risk-patching remains the only complete remediation.

CVE-2026-24892 HIGH POC
7.5 Feb 20

Unsafe PHP deserialization in openITCOCKPIT Community Edition 5.3.1 and earlier allows authenticated attackers to inject

CVE-2026-24891 HIGH POC
7.5 Feb 20

Remote code execution in openITCOCKPIT 5.3.1 and earlier via unsafe deserialization in the Gearman worker component, whi

CVE-2020-10789 CRITICAL
9.8 Mar 25

openITCOCKPIT before 3.7.3 has a web-based terminal that allows attackers to execute arbitrary OS commands via shell met

CVE-2019-15494 CRITICAL
9.8 Aug 23

openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21. Rated critical severity (CVSS 9.8), this vulnerability is rem

CVE-2019-15490 CRITICAL
9.8 Aug 23

openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21. Rated critical severity (CVSS 9.8), this vulnerabil

CVE-2020-10788 CRITICAL
9.1 Mar 25

openITCOCKPIT before 3.7.3 uses the 1fea123e07f730f76e661bced33a94152378611e API key rather than generating a random API

CVE-2023-36663 HIGH
8.8 Jun 25

it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows SQL Injection (by authenticated users) via the so

CVE-2019-15491 HIGH
8.8 Aug 23

openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21. Rated high severity (CVSS 8.8), this vulnerability is remotely e

CVE-2023-3520 MEDIUM POC
4.6 Jul 06

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository it-novum/openitcockpit prior to 4.6.6.

CVE-2023-3218 MEDIUM POC
4.4 Jun 13

Race Condition within a Thread in GitHub repository it-novum/openitcockpit prior to 4.6.5. Rated medium severity (CVSS 4

CVE-2020-10792 HIGH
7.5 Mar 20

openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placin

CVE-2019-15493 HIGH
7.5 Aug 23

openITCOCKPIT before 3.7.1 allows deletion of files, aka RVID 4-445b21. Rated high severity (CVSS 7.5), this vulnerabili

Share

CVE-2026-24893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy