Description
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
Published: 2026-04-07
Score: 9.8 Critical
EPSS: 3.6% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Cockpit’s remote login feature directly passes user‑supplied hostnames and usernames to the underlying SSH client without any validation or sanitization. An attacker who can reach the Cockpit web service can send a single HTTP request to the login endpoint that injects malicious SSH options or shell commands. This injection occurs during the authentication flow before any credential verification, allowing the attacker to execute arbitrary code on the Cockpit host without valid credentials, effectively providing full system compromise. The weakness is an OS command‑injection flaw classified as CWE‑78.

Affected Systems

The vulnerability affects Red Hat Enterprise Linux systems that run the Cockpit service, including RHEL 7, RHEL 8, RHEL 9, RHEL 9 × 6 EUS, RHEL 10, and RHEL 10 0 EUS. Users of the Cockpit web interface on these platforms are at risk if the service is exposed to untrusted networks.

Risk and Exploitability

With a CVSS score of 9.8 the vulnerability is high severity. The EPSS score of 3 % indicates a low predicted exploitation probability, but the absence of a credential requirement and the simplicity of the attack vector—crafting an HTTP request to the web service—make it a straightforward threat for attackers who can reach the Cockpit instance. The issue is not listed in the CISA KEV catalog, so no public exploit is currently documented; however, the attack could be performed by any network attacker with access to the Cockpit service, making risk very high for exposed systems.

Generated by OpenCVE AI on April 21, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Red Hat updates RHSA‑2026:7381 through RHSA‑2026:7384 to patch Cockpit.
  • If the update cannot be applied immediately, restrict access to the Cockpit web service by blocking outbound/inbound traffic to its port (default 9090) or disabling the service until a patch is installed.
  • Monitor Cockpit logs and network traffic for unusual SSH attempts and enforce least‑privilege access controls to limit exposure.

Generated by OpenCVE AI on April 21, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:10.1
References

Fri, 10 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Fri, 10 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:rhel_eus:9.6::appstream
cpe:/o:redhat:enterprise_linux:9::baseos
cpe:/o:redhat:rhel_eus:9.6::baseos
Vendors & Products Redhat rhel Eus
References

Fri, 10 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux Eus
CPEs cpe:/o:redhat:enterprise_linux_eus:10.0
Vendors & Products Redhat enterprise Linux Eus
References

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Critical

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
Title Cockpit: cockpit: unauthenticated remote code execution due to ssh command-line argument injection
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-78
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Enterprise Linux Enterprise Linux Eus Rhel Eus
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-10T21:05:16.830Z

Reserved: 2026-03-23T08:25:21.305Z

Link: CVE-2026-4631

cve-icon Vulnrichment

Updated: 2026-04-10T16:18:24.308Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T17:16:38.010

Modified: 2026-04-10T21:16:28.053

Link: CVE-2026-4631

cve-icon Redhat

Severity : Critical

Publid Date: 2026-04-07T15:52:00Z

Links: CVE-2026-4631 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:30:02Z

Weaknesses