Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionGitHub Advisory
openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS commands on the monitoring backend. The vulnerability arises because user-controlled host attributes (specifically the host address) are expanded into monitoring command templates without validation, escaping, or quoting. These templates are later executed by the monitoring engine (Nagios/Icinga) via a shell, resulting in remote code execution. Version 5.5.2 patches the issue.
AnalysisAI
Remote code execution in openITCOCKPIT Community Edition (versions prior to 5.5.2) allows authenticated users with host management permissions to execute arbitrary OS commands on the monitoring backend via command injection in host address fields. The vulnerability stems from unsanitized user input being expanded into Nagios/Icinga monitoring command templates and executed via shell, enabling full system compromise. CVSS score of 8.8 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed CVE.
Technical ContextAI
This vulnerability affects openITCOCKPIT, a web-based monitoring platform that interfaces with backend monitoring engines like Nagios and Icinga. The flaw (CWE-20: Improper Input Validation) occurs in the host configuration workflow where user-supplied host attributes-particularly the host address field-are incorporated into monitoring command templates without proper validation, escaping, or shell-safe quoting. When the monitoring engine executes these commands via a shell interpreter to perform health checks, the injected commands run with the privileges of the monitoring backend process. This represents a classic template injection scenario where the separation between data (host configuration) and code (monitoring commands) is violated, allowing authenticated users to break out of their intended privilege boundary and achieve remote code execution on the infrastructure monitoring system.
RemediationAI
Vendor-released patch: openITCOCKPIT version 5.5.2 fully remediates this vulnerability by implementing proper input validation, escaping, and quoting for host attributes used in command templates. Organizations should immediately upgrade to version 5.5.2 or later, available at https://github.com/openITCOCKPIT/openITCOCKPIT/releases/tag/openITCOCKPIT-5.5.2. Detailed upgrade guidance and release notes are published at https://openitcockpit.io/blog/posts/2026/2026-04-14-openitcockpit-agent-3.6.0-and-5.5.2. As a temporary mitigation for environments unable to immediately patch, restrict host configuration permissions to only highly trusted administrators, implement audit logging for all host modifications, and review existing host configurations for suspicious command syntax in address fields. No workaround fully eliminates risk-patching remains the only complete remediation.
More in Openitcockpit
View allUnsafe PHP deserialization in openITCOCKPIT Community Edition 5.3.1 and earlier allows authenticated attackers to inject
Remote code execution in openITCOCKPIT 5.3.1 and earlier via unsafe deserialization in the Gearman worker component, whi
openITCOCKPIT before 3.7.3 has a web-based terminal that allows attackers to execute arbitrary OS commands via shell met
openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21. Rated critical severity (CVSS 9.8), this vulnerability is rem
openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21. Rated critical severity (CVSS 9.8), this vulnerabil
openITCOCKPIT before 3.7.3 uses the 1fea123e07f730f76e661bced33a94152378611e API key rather than generating a random API
it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows SQL Injection (by authenticated users) via the so
openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21. Rated high severity (CVSS 8.8), this vulnerability is remotely e
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository it-novum/openitcockpit prior to 4.6.6.
Race Condition within a Thread in GitHub repository it-novum/openitcockpit prior to 4.6.5. Rated medium severity (CVSS 4
openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placin
openITCOCKPIT before 3.7.1 allows deletion of files, aka RVID 4-445b21. Rated high severity (CVSS 7.5), this vulnerabili
Same weakness CWE-20 – Improper Input Validation
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22703