Description
Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator.
Published: 2026-04-29
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Cockpit CMS versions before 2.14.0 permits an attacker to inject code through the filter parameter of several endpoints. The injected value is evaluated by the MongoLite database using the $func operator, which can invoke arbitrary system commands. This vulnerability leads directly to uncontrolled code execution on the underlying host, exposing the full confidentiality, integrity, and availability of the server. The weakness aligns with command and code injection issues such as CWE‑78 and CWE‑94.

Affected Systems

The security issue affects Cockpit CMS releases 2.13.5 and earlier. Any installation running those versions exposes the vulnerable endpoints. The official advisory lists the affected release as 2.13.5 and the new release 2.14.0 that includes the fix.

Risk and Exploitability

With no CVSS score publicly available and EPSS marked as not available, the exact severity rating cannot be determined from the data shown. However, because the vulnerability allows arbitrary command execution and is exposed over network endpoints, it is likely exploitable remotely and would be considered high risk by most organizations. The lack of KEV listing does not reduce the urgency, as the flaw is clearly exploitable regardless of current exploit availability.

Generated by OpenCVE AI on April 29, 2026 at 17:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cockpit CMS to version 2.14.0 or later, which contains the fix for the MongoLite filter parameter processing.
  • If an immediate upgrade is not possible, restrict network access to the affected endpoints, ensuring only trusted internal hosts can reach them.
  • As a temporary measure, ensure that the application runs with the least privilege necessary and consider disabling the $func operator if it is not required for your configuration.

Generated by OpenCVE AI on April 29, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution in Cockpit CMS via Filter Parameter
Weaknesses CWE-78
CWE-94

Wed, 29 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Cockpit-hq
Cockpit-hq cockpit
Vendors & Products Cockpit-hq
Cockpit-hq cockpit

Wed, 29 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Description Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator.
References

Subscriptions

Cockpit-hq Cockpit
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-29T14:30:42.415Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38992

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-29T15:16:05.750

Modified: 2026-04-29T21:22:20.120

Link: CVE-2026-38992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:15:16Z

Weaknesses