CVE-2026-34965
Authenticated Remote Code Execution in Cockpit CMS via Malicious Collection Rules
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agentejo | cockpit | to 494765e (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Cockpit CMS within the /cockpit/collections/save_collection endpoint. It allows authenticated attackers who have collection management privileges to inject arbitrary PHP code into the collection rules parameters.
The injected PHP code is written directly to server-side PHP files and then executed via the include() function, enabling the attacker to execute arbitrary commands on the underlying server.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on the server hosting Cockpit CMS. An attacker with the necessary privileges can run arbitrary commands, potentially gaining full control over the server.
Such control can result in data theft, data manipulation, service disruption, or further attacks within the network.
Can you explain this vulnerability to me?
CVE-2026-34965 is a critical vulnerability in Cockpit CMS that allows authenticated users with collection management privileges to perform remote code execution. The flaw exists in the /cockpit/collections/save_collection endpoint, where attackers can inject arbitrary PHP code into the collection rules parameters.
This injected PHP code is written directly to server-side PHP files and later executed via the include() function. By sending a specially crafted request containing malicious PHP payloads in the rules fields, an attacker can cause the server to execute arbitrary commands, leading to full remote code execution on the underlying server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious activity involving the /cockpit/collections/save_collection endpoint, especially requests made by authenticated users with collection management privileges that include unusual or suspicious PHP code in the rules parameters.
One approach is to inspect web server logs or application logs for POST requests to /cockpit/collections/save_collection containing PHP tags or code snippets in the payload.
Example commands to detect potential exploitation attempts include using grep or similar tools to search logs for PHP code injection patterns:
- grep -i 'POST /cockpit/collections/save_collection' /var/log/apache2/access.log | grep -E '<\?php|eval\(|base64_decode\('
- grep -r '<?php' /path/to/cockpit/storage/collections/
Additionally, scanning the storage directory for recently modified PHP files containing injected code can help identify exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official patch released by the Cockpit CMS team that addresses this vulnerability.
If patching is not immediately possible, restrict access to the /cockpit/collections/save_collection endpoint to trusted users only, and ensure that only authenticated users with necessary privileges can access collection management features.
Additionally, monitor and audit collection rules parameters for any suspicious PHP code injection attempts.
Long-term remediation involves avoiding direct execution of user input, storing rules as data files (e.g., JSON), implementing strict validation to reject PHP tags, and using whitelist-based execution for predefined logic.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers to execute arbitrary code on the server, leading to complete server compromise and potential data exfiltration.
Such a compromise can result in unauthorized access to sensitive personal or protected health information, which may violate compliance requirements under standards like GDPR and HIPAA.
Therefore, this vulnerability poses a significant risk to maintaining compliance with data protection regulations by potentially exposing confidential data and failing to ensure data integrity and confidentiality.
How can this vulnerability impact me? :
The vulnerability can lead to complete server compromise. An attacker exploiting this flaw can execute arbitrary commands on the server, potentially leading to data exfiltration, privilege escalation, and full control over the affected system.