Path Traversal in Cockpit CMS

Executive Summary

CVE-2026-13533 is a security vulnerability in agentejo Cockpit CMS up to version 0.12.2. The issue arises because the configuration file config/config.yaml is stored in the webroot directory and is not properly protected by access controls. Specifically, the .htaccess rules do not block access to this file in Apache default setups, and nginx does not support .htaccess files, leaving the file exposed.

This vulnerability allows an attacker to remotely access and retrieve sensitive configuration data such as SMTP credentials, API keys, database settings, and group permissions by sending a simple HTTP GET request to /config/config.yaml.

The root cause is a directory-scoped .htaccess directive that fails to protect subdirectories and the lack of equivalent protections in nginx configurations.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized remote attackers to access sensitive configuration files, including SMTP credentials, API keys, database settings, and group permissions. Such unauthorized disclosure of sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Because the config.yaml file is accessible due to improper access controls, organizations using the affected Cockpit CMS versions may fail to meet compliance requirements related to confidentiality, integrity, and access control of sensitive data.

Furthermore, the lack of vendor response and absence of official mitigations increase the risk of non-compliance, as organizations may not be able to adequately secure their systems against this vulnerability.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have significant impacts because it exposes sensitive configuration information to unauthorized parties. Attackers can obtain SMTP credentials, API keys, database connection details, and group permissions.

With this information, attackers could potentially gain further unauthorized access to the system, send emails on behalf of the organization, manipulate data, or escalate privileges.

Since the exploit can be launched remotely without authentication, it increases the risk of compromise for any affected Cockpit CMS installation using default or unmodified configurations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the sensitive configuration file config/config.yaml via HTTP requests on the affected Cockpit CMS server.

A simple command to test this is to send an HTTP GET request to the URL path /config/config.yaml on the target server.

• Using curl: curl -i http://<target-server>/config/config.yaml
• Using wget: wget --spider http://<target-server>/config/config.yaml

If the file is accessible and returns sensitive configuration data such as SMTP credentials, API keys, or database settings, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves restricting access to the config/config.yaml file to prevent unauthorized retrieval.

For Apache servers, review and update the .htaccess rules to ensure that access to the config directory and its files is properly denied.

For nginx servers, implement explicit access restrictions in the server configuration since nginx does not support .htaccess files.

As the vendor has not provided official mitigations and the repository is unmaintained, it is critical to manually secure the configuration files by moving them outside the webroot or applying strict access controls.

Additionally, monitor for any unauthorized access attempts and consider rotating any exposed credentials immediately.

Useful 0 Not Useful 0