CVE-2026-38991
Authenticated File Upload Bypass Leading to RCE in Cockpit CMS
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cockpit | cockpit | to 2.14.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Cockpit version 2.13.5 and earlier, specifically in the Bucket component's _isFileTypeAllowed function. Due to a misconfiguration, the function's extension filter can be bypassed by using a specially crafted filename. This allows an authenticated attacker to rename arbitrary files with a .php extension.
As a result, the attacker can execute arbitrary code on the underlying server.
How can this vulnerability impact me? :
An attacker who is authenticated can exploit this vulnerability to rename files with a .php extension, enabling them to execute arbitrary code on the server. This can lead to unauthorized control over the server, potentially allowing data theft, data manipulation, service disruption, or further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-38991 allows an authenticated attacker to execute arbitrary code on the server by bypassing file extension restrictions and uploading malicious PHP files. This can lead to unauthorized access, data breaches, and potential manipulation or exposure of sensitive information.
Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.
Therefore, organizations using vulnerable versions of Cockpit CMS may face increased risk of non-compliance due to this security flaw.
Can you explain this vulnerability to me?
CVE-2026-38991 is an Arbitrary Code Execution vulnerability in Cockpit CMS versions up to 2.13.5. It exists in the Buckets module, which improperly restricts file uploads. Specifically, the _isFileTypeAllowed function meant to block PHP file uploads can be bypassed by using specially crafted filenames. This allows an authenticated attacker to rename or upload files with a .php extension, enabling them to execute arbitrary code on the underlying server with the privileges of the web service.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary code on the server hosting Cockpit CMS. This can lead to full compromise of the server, including unauthorized access to sensitive data, modification or deletion of files, and potentially using the server as a foothold to attack other systems. Because the attacker can run code with web service privileges, the impact is severe, affecting confidentiality, integrity, and availability of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the ability of an authenticated user to upload or rename files with a .php extension bypassing the file type filter in the Buckets module of Cockpit CMS up to version 2.13.5.
To detect this vulnerability on your system, you can check for the presence of suspicious .php files in upload directories managed by the Buckets module, especially those that may have been renamed or uploaded by authenticated users.
Commands to help detect this might include searching for .php files in the upload directories, for example:
- find /path/to/cockpit/uploads -type f -name '*.php'
- grep -r --include='*.php' '<?php' /path/to/cockpit/uploads
Additionally, reviewing web server logs for unusual requests to .php files in upload directories or monitoring for unexpected file renaming activities by authenticated users could help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Cockpit CMS to version 2.14.0 or later, where this vulnerability has been patched.
Until the upgrade can be applied, you should restrict authenticated user permissions to prevent unauthorized file uploads or renaming in the Buckets module.
Additional mitigation steps include:
- Implement strict access controls on the Buckets upload directories.
- Disable or limit the ability to upload or rename files with executable extensions such as .php.
- Monitor and audit file uploads and renaming activities closely.
- Harden web server configurations to prevent execution of PHP files in upload directories if possible.