CVE-2026-38991
Received Received - Intake
Authenticated File Upload Bypass Leading to RCE in Cockpit CMS

Publication date: 2026-04-29

Last updated on: 2026-04-29

Assigner: MITRE

Description
Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary code to be executed on the underlying server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-38991
EUVD
EUVD-2026-26242
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cockpit cockpit to 2.14.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-38991 is an Arbitrary Code Execution vulnerability in Cockpit CMS versions up to 2.13.5. It exists in the Buckets module, which improperly restricts file uploads. Specifically, the _isFileTypeAllowed function meant to block PHP file uploads can be bypassed by using specially crafted filenames. This allows an authenticated attacker to rename or upload files with a .php extension, enabling them to execute arbitrary code on the underlying server with the privileges of the web service.

Executive Summary

This vulnerability exists in Cockpit version 2.13.5 and earlier, specifically in the Bucket component's _isFileTypeAllowed function. Due to a misconfiguration, the function's extension filter can be bypassed by using a specially crafted filename. This allows an authenticated attacker to rename arbitrary files with a .php extension.

As a result, the attacker can execute arbitrary code on the underlying server.

Impact Analysis

An attacker who is authenticated can exploit this vulnerability to rename files with a .php extension, enabling them to execute arbitrary code on the server. This can lead to unauthorized control over the server, potentially allowing data theft, data manipulation, service disruption, or further attacks within the network.

Impact Analysis

This vulnerability allows an authenticated attacker to execute arbitrary code on the server hosting Cockpit CMS. This can lead to full compromise of the server, including unauthorized access to sensitive data, modification or deletion of files, and potentially using the server as a foothold to attack other systems. Because the attacker can run code with web service privileges, the impact is severe, affecting confidentiality, integrity, and availability of the system.

Compliance Impact

CVE-2026-38991 allows an authenticated attacker to execute arbitrary code on the server by bypassing file extension restrictions and uploading malicious PHP files. This can lead to unauthorized access, data breaches, and potential manipulation or exposure of sensitive information.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Therefore, organizations using vulnerable versions of Cockpit CMS may face increased risk of non-compliance due to this security flaw.

Detection Guidance

This vulnerability involves the ability of an authenticated user to upload or rename files with a .php extension bypassing the file type filter in the Buckets module of Cockpit CMS up to version 2.13.5.

To detect this vulnerability on your system, you can check for the presence of suspicious .php files in upload directories managed by the Buckets module, especially those that may have been renamed or uploaded by authenticated users.

Commands to help detect this might include searching for .php files in the upload directories, for example:

  • find /path/to/cockpit/uploads -type f -name '*.php'
  • grep -r --include='*.php' '<?php' /path/to/cockpit/uploads

Additionally, reviewing web server logs for unusual requests to .php files in upload directories or monitoring for unexpected file renaming activities by authenticated users could help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade Cockpit CMS to version 2.14.0 or later, where this vulnerability has been patched.

Until the upgrade can be applied, you should restrict authenticated user permissions to prevent unauthorized file uploads or renaming in the Buckets module.

Additional mitigation steps include:

  • Implement strict access controls on the Buckets upload directories.
  • Disable or limit the ability to upload or rename files with executable extensions such as .php.
  • Monitor and audit file uploads and renaming activities closely.
  • Harden web server configurations to prevent execution of PHP files in upload directories if possible.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart