Skip to main content

Cockpit CVE-2026-4802

| EUVDEUVD-2026-29051 HIGH
OS Command Injection (CWE-78)
2026-05-11 redhat GHSA-3wjm-5g86-c6p3
8.0
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.0 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
SUSE
8.8 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Red Hat
8.0 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 13:45 vuln.today
CVE Published
May 11, 2026 - 12:48 nvd
HIGH 8.0

DescriptionCVE.org

A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.

AnalysisAI

Remote code execution in Cockpit's system logs UI allows authenticated users to inject shell metacharacters into unsanitized URL parameters, executing arbitrary commands on RHEL 7/8/9/10 hosts. Attack requires low-complexity exploitation by a logged-in user who can craft malicious links targeting the logs interface. No public exploit identified at time of analysis, though the vulnerable code section is publicly accessible on GitHub. EPSS data not available; CVSS 8.0 reflects high impact across confidentiality, integrity, and availability if user interaction occurs.

Technical ContextAI

Cockpit is a web-based server administration interface for Linux systems, providing real-time system monitoring and management capabilities. The vulnerability resides in the systemd logs journal viewer component (logsJournal.jsx), where user-controlled parameters embedded in crafted URLs are passed to shell commands without proper sanitization or validation. This constitutes a CWE-78 OS Command Injection flaw, where shell metacharacters (such as backticks, semicolons, or $() substitutions) in URL parameters are interpreted by the underlying shell rather than treated as literal data. The affected CPE strings indicate this impacts Cockpit deployments across Red Hat Enterprise Linux versions 7, 8, 9, and 10, suggesting a cross-version architectural issue in how the logs UI handles parameter parsing and command construction.

RemediationAI

Check Red Hat Customer Portal at https://access.redhat.com/security/cve/CVE-2026-4802 and Bugzilla 2451155 for updated Cockpit packages addressing this command injection flaw; apply vendor-provided patches via standard yum/dnf update procedures once released. Until patches are available, implement compensating controls: restrict Cockpit web interface access to trusted administrative networks only via firewall rules (block external access to default TCP port 9090), enforce multi-factor authentication for all Cockpit users to raise attacker credential acquisition bar, deploy web application firewall rules to detect and block URLs containing shell metacharacters in query parameters targeting /system/logs paths, and educate administrators to avoid clicking untrusted links while authenticated to Cockpit sessions. Note that disabling the system logs UI feature entirely eliminates attack surface but removes legitimate log viewing functionality. Review GitHub commit history at https://github.com/cockpit-project/cockpit/blob/e204cd130/pkg/systemd/logsJournal.jsx for upstream fixes that may be backported to RHEL packages.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

CVE-2026-4802 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy