Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.
AnalysisAI
Remote code execution in Cockpit's system logs UI allows authenticated users to inject shell metacharacters into unsanitized URL parameters, executing arbitrary commands on RHEL 7/8/9/10 hosts. Attack requires low-complexity exploitation by a logged-in user who can craft malicious links targeting the logs interface. No public exploit identified at time of analysis, though the vulnerable code section is publicly accessible on GitHub. EPSS data not available; CVSS 8.0 reflects high impact across confidentiality, integrity, and availability if user interaction occurs.
Technical ContextAI
Cockpit is a web-based server administration interface for Linux systems, providing real-time system monitoring and management capabilities. The vulnerability resides in the systemd logs journal viewer component (logsJournal.jsx), where user-controlled parameters embedded in crafted URLs are passed to shell commands without proper sanitization or validation. This constitutes a CWE-78 OS Command Injection flaw, where shell metacharacters (such as backticks, semicolons, or $() substitutions) in URL parameters are interpreted by the underlying shell rather than treated as literal data. The affected CPE strings indicate this impacts Cockpit deployments across Red Hat Enterprise Linux versions 7, 8, 9, and 10, suggesting a cross-version architectural issue in how the logs UI handles parameter parsing and command construction.
RemediationAI
Check Red Hat Customer Portal at https://access.redhat.com/security/cve/CVE-2026-4802 and Bugzilla 2451155 for updated Cockpit packages addressing this command injection flaw; apply vendor-provided patches via standard yum/dnf update procedures once released. Until patches are available, implement compensating controls: restrict Cockpit web interface access to trusted administrative networks only via firewall rules (block external access to default TCP port 9090), enforce multi-factor authentication for all Cockpit users to raise attacker credential acquisition bar, deploy web application firewall rules to detect and block URLs containing shell metacharacters in query parameters targeting /system/logs paths, and educate administrators to avoid clicking untrusted links while authenticated to Cockpit sessions. Note that disabling the system logs UI feature entirely eliminates attack surface but removes legitimate log viewing functionality. Review GitHub commit history at https://github.com/cockpit-project/cockpit/blob/e204cd130/pkg/systemd/logsJournal.jsx for upstream fixes that may be backported to RHEL packages.
More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29051
GHSA-3wjm-5g86-c6p3