Description
Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly accessible or reachable by untrusted users may be vulnerable, and attackers in possession of a valid read-only API key (the lowest privilege level) can exploit this vulnerability — no admin access is required. An attacker can inject arbitrary SQL via unsanitized field names in aggregation queries, bypass the `_state=1` published-content filter to access unpublished or restricted content, and extract unauthorized data from the underlying SQLite content database. This vulnerability has been patched in version 2.13.5. The fix applies the same field-name sanitization introduced in v2.13.3 for `toJsonPath()` to the `toJsonExtractRaw()` method in `lib/MongoLite/Aggregation/Optimizer.php`, closing the injection vector in the Aggregation Optimizer.
Published: 2026-03-18
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Patch Immediately
AI Analysis

Impact

Cockpit CMS exposes an SQL Injection flaw in its MongoLite Aggregation Optimizer. Unsanitized field names in aggregation queries allow attackers to inject arbitrary SQL via the toJsonExtractRaw() method. This injection can breach the published-content filter, letting even a read‑only API key read unpublished or restricted content from the underlying SQLite database. The result is unauthorized data exposure, potentially giving attackers sensitive information without requiring administrative privileges.

Affected Systems

This vulnerability affects the Cockpit content management system by Cockpit-HQ. Any deployment running version 2.13.4 or older, with API access enabled and the /api/content/aggregate/{model} endpoint reachable by untrusted users, is susceptible. Core products using the affected stack include Cockpit 2.13.4 and earlier. No other vendors or products are listed.

Risk and Exploitability

The CVSS vector scores 7.7 for high severity, while the EPSS is below 1%, indicating a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires network access to the API endpoint and a valid read‑only API key but no admin rights. Attackers could send crafted aggregation payloads to trigger the SQL injection, read data from the SQLite store, and bypass content restrictions. A patch addressing the sanitization of toJsonExtractRaw() is available in version 2.13.5.

Generated by OpenCVE AI on March 20, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cockpit CMS to version 2.13.5 or newer.
  • If an upgrade cannot be performed immediately, restrict or disable API access for untrusted users.
  • Verify that the /api/content/aggregate endpoint is not publicly exposed, or limit its availability to trusted IP ranges.

Generated by OpenCVE AI on March 20, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7x5c-vfhj-9628 Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
History

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Agentejo
Agentejo cockpit
CPEs cpe:2.3:a:agentejo:cockpit:*:*:*:*:*:*:*:*
Vendors & Products Agentejo
Agentejo cockpit

Wed, 18 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Cockpit-hq
Cockpit-hq cockpit
Vendors & Products Cockpit-hq
Cockpit-hq cockpit

Wed, 18 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly accessible or reachable by untrusted users may be vulnerable, and attackers in possession of a valid read-only API key (the lowest privilege level) can exploit this vulnerability — no admin access is required. An attacker can inject arbitrary SQL via unsanitized field names in aggregation queries, bypass the `_state=1` published-content filter to access unpublished or restricted content, and extract unauthorized data from the underlying SQLite content database. This vulnerability has been patched in version 2.13.5. The fix applies the same field-name sanitization introduced in v2.13.3 for `toJsonPath()` to the `toJsonExtractRaw()` method in `lib/MongoLite/Aggregation/Optimizer.php`, closing the injection vector in the Aggregation Optimizer.
Title Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Agentejo Cockpit
Cockpit-hq Cockpit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T18:36:30.952Z

Reserved: 2026-03-09T21:59:02.687Z

Link: CVE-2026-31891

cve-icon Vulnrichment

Updated: 2026-03-18T18:34:46.299Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T04:17:19.570

Modified: 2026-03-20T18:00:37.580

Link: CVE-2026-31891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:28Z

Weaknesses