CVE-2026-31891

Description

### Impact This is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any Cockpit CMS instance running version **2.13.4 or earlier** with API access enabled is potentially affected. **Who is impacted:** - Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly accessible or reachable by untrusted users. - Attackers in possession of a **valid read-only API key** (the lowest privilege level) can exploit this vulnerability - no admin access is required. **What an attacker can do:** - Inject arbitrary SQL via unsanitized field names in aggregation queries. - Bypass the `_state=1` published-content filter to access unpublished or restricted content. - Extract unauthorized data from the underlying SQLite content database. **Confidentiality impact is High.** Integrity and availability are not directly affected by this vulnerability. ### Patches This vulnerability has been **patched in version 2.13.5**. All users running Cockpit CMS version **2.13.4 or earlier** are strongly advised to upgrade to **2.13.5 or later** immediately. - https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5 The fix applies the same field-name sanitization introduced in v2.13.3 for `toJsonPath()` to the `toJsonExtractRaw()` method in `lib/MongoLite/Aggregation/Optimizer.php`, closing the injection vector in the Aggregation Optimizer.

Priority Score