CVE-2026-38993
Directory Traversal in Cockpit CMS via Buckets Component
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cockpit | cockpit | to 2.13.5 (inc) |
| cockpit | cockpit | 2.14.0 |
| cockpit | cockpit_cms | to 2.13.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Cockpit version 2.13.5 and earlier. It is a directory traversal vulnerability in the Buckets component that allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite existing assets with malicious versions.
How can this vulnerability impact me? :
An attacker who exploits this vulnerability can place malicious files in unintended locations or replace legitimate files with malicious ones. This can lead to unauthorized code execution, data corruption, or compromise of the system's integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-38993 affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-38993 is a directory traversal vulnerability in Cockpit version 2.13.5 and earlier, specifically in the Buckets component. This flaw allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite existing assets with malicious versions.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to place malicious files in unintended locations within the uploads directory or overwrite legitimate assets. This can lead to the execution of malicious code or compromise of the system's integrity, potentially allowing attackers to control or disrupt the affected application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Cockpit CMS to version 2.14.0 or later, where the Buckets path traversal vulnerability has been fixed.
The update also includes security improvements such as better session cookie handling, input validation enhancements, and stricter access control enforcement.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves directory traversal and unauthorized file uploads via the Buckets component in Cockpit CMS versions up to 2.13.5. Detection involves checking for suspicious file uploads or modifications within the uploads directory, especially files that could be malicious or unexpected.
Since the vulnerability requires authentication, monitoring authenticated user activity related to file uploads in the Buckets module is important.
Suggested commands to detect potential exploitation include:
- Searching for recently modified or created files in the uploads directory that may indicate unauthorized writes: find /path/to/cockpit/uploads -type f -mtime -7 -ls
- Checking web server logs for suspicious POST requests to the Buckets upload endpoints, which may indicate attempts to upload malicious files: grep 'POST' /var/log/nginx/access.log | grep '/buckets/upload'
- Looking for files with suspicious extensions or PHP files that bypassed restrictions: find /path/to/cockpit/uploads -type f \( -name '*.php' -o -name '*.phtml' \) -ls
- Reviewing authenticated user activity in application logs to identify unusual upload behavior.
Upgrading to Cockpit CMS version 2.14.0 or later is recommended to mitigate this vulnerability.