Description
openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS commands on the monitoring backend. The vulnerability arises because user-controlled host attributes (specifically the host address) are expanded into monitoring command templates without validation, escaping, or quoting. These templates are later executed by the monitoring engine (Nagios/Icinga) via a shell, resulting in remote code execution. Version 5.5.2 patches the issue.
Published: 2026-04-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

openITCOCKPIT Community Edition before version 5.5.2 contains a command‑injection flaw that lets an authenticated user who can add or alter host definitions inject arbitrary operating‑system commands into the host address field. The value is incorporated into monitoring templates and passed to the monitoring engine (Nagios or Icinga) through a shell without sanitisation, escaping or quoting, allowing an attacker to execute any OS command on the backend and gain full control of the monitoring system.

Affected Systems

All installations of openITCOCKPIT Community Edition released prior to 5.5.2 are affected. The flaw is tied to host configurations editable by users with host‑management rights, and the vendor has provided a patch in release 5.5.2 that removes the unsanitised macro expansion.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is classified as High. The exploit requires authenticated users who can modify host records, so attackers with compromised credentials or elevated privileges can immediately gain remote code execution. The lack of EPSS or KEV data does not reduce the risk, as the high severity score and the fact that the attack path exploits the monitoring engine’s shell invocation point to a serious threat for environments using openITCOCKPIT.

Generated by OpenCVE AI on April 14, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to openITCOCKPIT 5.5.2 or later, which removes the unsanitised macro replacement.
  • Limit host‑management permissions to trusted operators; restrict the ability to add or modify hosts to users who genuinely need it.
  • Disable or tighten monitoring command templates that use the host address as a macro; review existing templates to ensure no shell invocation with raw user data.
  • Monitor system logs for unexpected command execution and audit host configuration changes.

Generated by OpenCVE AI on April 14, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Openitcockpit
Openitcockpit openitcockpit
Vendors & Products Openitcockpit
Openitcockpit openitcockpit

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS commands on the monitoring backend. The vulnerability arises because user-controlled host attributes (specifically the host address) are expanded into monitoring command templates without validation, escaping, or quoting. These templates are later executed by the monitoring engine (Nagios/Icinga) via a shell, resulting in remote code execution. Version 5.5.2 patches the issue.
Title openITCOCKPIT has Authenticated Command Injection Leading to Remote Code Execution via Host Address Macro Expansion
Weaknesses CWE-20
CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Openitcockpit Openitcockpit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T13:40:30.971Z

Reserved: 2026-01-27T19:35:20.529Z

Link: CVE-2026-24893

cve-icon Vulnrichment

Updated: 2026-04-15T13:40:27.440Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T21:16:24.987

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-24893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:41:09Z

Weaknesses