CVE-2026-6626 - Vulnerability Details

- Cockpit-HQ Cockpit Asset Handler/Aggregate data query logic injection

Description

A vulnerability was detected in Cockpit-HQ Cockpit up to 2.13.5. Affected by this issue is some unknown functionality of the component Asset Handler/Aggregate Handler. The manipulation results in improper neutralization of special elements in data query logic. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-20

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs in the Asset Handler/Aggregate Handler of Cockpit‑HQ Cockpit and is caused by improper neutralization of special elements in data query logic. The flaw allows a malicious actor to inject crafted query content when interacting with the handler, potentially influencing data retrieval or other query logic without executing arbitrary commands. The impact is limited to confidentiality and integrity of the queried data, though broader system disruption could arise if query logic misbehaves.

Affected Systems

Cockpit‑HQ Cockpit, versions up to 2.13.5 are affected. Any deployment that exposes the Asset Handler or Aggregate Handler functionality to external traffic is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, but the public disclosure and remote nature of the attack suggest that exploitation is feasible from outside the network. An attacker can send specially crafted queries to the vulnerable endpoint, leveraging the injection to manipulate data retrieval or execution flows. Given the moderate severity and remote exploitability, immediate attention is warranted to prevent potential compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cockpit-HQ

Cockpit

affected

Version	Status	Constraints
`2.13.0`	affected	—
`2.13.1`	affected	—
`2.13.2`	affected	—
`2.13.3`	affected	—
`2.13.4`	affected	—
`2.13.5`	affected	—

No data.

Vendor Product Confidence Versions

Cockpit-hq

Cockpit

95%

Version	Status	Scheme	Platform
`2.13.0`	affected	semver	—
`2.13.1`	affected	semver	—
`2.13.2`	affected	semver	—
`2.13.3`	affected	semver	—
`2.13.4`	affected	semver	—
`2.13.5`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Cockpit‑HQ Cockpit to a version that includes the fix for the Asset Handler/Aggregate Handler injection flaw.
If no patch is immediately available, restrict access to the Asset Handler and Aggregate Handler endpoints by firewall rules or network segmentation to limit exposure to trusted users and systems.
Implement input validation and sanitization on all query parameters, ensuring that special elements are properly escaped or using parameterized queries to prevent injection.
Apply strict access controls so that only authorized roles can invoke aggregate query functionality, reducing the attack surface.

Generated by OpenCVE AI on April 20, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/NicolasPauferro/studiesofnosqli
https://vuldb.com/submit/792601
https://vuldb.com/vuln/358261
https://vuldb.com/vuln/358261/cti

History

Mon, 20 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 20 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cockpit-hq Cockpit-hq cockpit
Vendors & Products		Cockpit-hq Cockpit-hq cockpit

Mon, 20 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in Cockpit-HQ Cockpit up to 2.13.5. Affected by this issue is some unknown functionality of the component Asset Handler/Aggregate Handler. The manipulation results in improper neutralization of special elements in data query logic. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Cockpit-HQ Cockpit Asset Handler/Aggregate data query logic injection
Weaknesses		CWE-20 CWE-943
References		https://github.com/NicolasPauferro/studiesofnosqli https://vuldb.com/submit/792601 https://vuldb.com/vuln/358261 https://vuldb.com/vuln/358261/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Cockpit-hq Cockpit

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-20T09:45:12.067Z

Updated: 2026-04-20T15:23:47.915Z

Reserved: 2026-04-19T16:43:04.982Z

Link: CVE-2026-6626

Vulnrichment

Updated: 2026-04-20T15:23:39.548Z

NVD

Status : Received

Published: 2026-04-20T10:16:17.943

Modified: 2026-04-20T10:16:17.943

Link: CVE-2026-6626

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T12:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object