Executive Summary

CVE-2026-4802 is a vulnerability in the Cockpit project's system logs user interface (UI) that allows a remote attacker to execute arbitrary commands on the host system.

The flaw exists because user-controlled parameters in crafted links are passed unsanitized to a shell command constructed in the logs UI code. Specifically, the vulnerability arises in the `loadServiceFilters()` function of the `logsJournal.jsx` file, where these parameters are joined into a command string and executed via `/bin/bash -ec` without proper sanitization.

An attacker can inject shell metacharacters and command substitutions (like `$(...)`) into these parameters, which leads to arbitrary shell command execution on the affected system.

A proof-of-concept demonstrated this by executing the `id` command and writing its output to a file, confirming remote code execution capability.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a complete system compromise because it allows remote attackers to execute arbitrary shell commands on the host system.

An attacker exploiting this flaw could gain unauthorized control over the affected system, potentially leading to data theft, system disruption, installation of malware, or further attacks within the network.

Since the vulnerability is remotely exploitable via the Cockpit system logs UI, any exposed or accessible Cockpit interface could be targeted.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the unsanitized user-controlled parameters in the Cockpit system logs UI. Specifically, crafted URLs with shell metacharacters or command substitutions can be used to test if arbitrary commands are executed on the host.

A proof-of-concept involves injecting a command such as `id` via the URL parameters and checking for its output on the system, for example by verifying the presence of a file like `/tmp/cockpit-rce-proof` created by the injected command.

Since the vulnerability arises from the `loadServiceFilters()` function executing commands via `/bin/bash -ec` with unsanitized input, you can test by crafting a URL similar to: `http://<cockpit-host>/#/system/logs#/?since=$(id > /tmp/cockpit-rce-proof)` and then checking if the file `/tmp/cockpit-rce-proof` exists on the system.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Cockpit system logs UI to trusted users only, as the vulnerability requires access to the Cockpit interface.

Until a patch is released, avoid clicking or following untrusted or suspicious links containing parameters in the system logs UI that could be crafted to exploit this vulnerability.

Monitor for unusual files or command execution traces on the system, such as unexpected files like `/tmp/cockpit-rce-proof`, which may indicate exploitation attempts.

Apply the official patch or update Cockpit to a version where this vulnerability is fixed as soon as it becomes available.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows remote arbitrary command execution on the host system, which could lead to a complete system compromise.

Such a compromise can result in unauthorized access, modification, or destruction of sensitive data, potentially violating data protection requirements under standards like GDPR and HIPAA.

Organizations using affected versions of Cockpit may fail to maintain the confidentiality, integrity, and availability of their systems and data, thereby impacting compliance with these regulations.

Useful 0 Not Useful 0