CVE-2026-58467
Received Received - Intake

Path Traversal and LFI in Cockpit CMS

Vulnerability report for CVE-2026-58467, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cockpit_cms cockpit_cms to 364 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by attempting to access files outside the intended '.spaces' directory using crafted URLs that include path traversal sequences such as '..'. For example, sending HTTP requests with URLs containing '../../' sequences targeting sensitive files like /etc/passwd can reveal if the server improperly serves these files.

You can use command-line tools like curl or wget to test for this vulnerability by requesting URLs that include path traversal payloads.

  • curl -i http://yourserver/index.php/../../../../../../etc/passwd
  • curl -i http://yourserver/index.php/../../../../../../var/www/cockpit/.spaces/somefile.php

If the server responds with the contents of these files or executes PHP files included via such paths, it indicates the presence of the vulnerability.

Executive Summary

CVE-2026-58467 is a path traversal and local file inclusion vulnerability in Cockpit CMS versions before release 364. It occurs because the application constructs filesystem paths using the PATH_INFO derived from the REQUEST_URI without properly validating or restricting path traversal sequences.

An unauthenticated attacker can inject dot-dot sequences ("..") into the URL to traverse outside the intended '.spaces' directory and read arbitrary files on the server. If the resolved path ends with a .php extension, the application includes that file using PHP's include() function, which can lead to local file inclusion or remote code execution in certain server configurations.

This vulnerability is fully exploitable in environments using PHP's built-in development server and potentially exploitable in some non-default Nginx setups, but not in default Apache deployments due to URL normalization.

Impact Analysis

This vulnerability can allow an unauthenticated attacker to read any file on the server that the web server process has access to, potentially exposing sensitive information such as configuration files, credentials, or other private data.

Additionally, if the attacker can cause the application to include a PHP file, they may execute arbitrary PHP code on the server, leading to local file inclusion or remote code execution. This can compromise the entire server, allowing attackers to take control, modify data, or disrupt services.

Mitigation Strategies

Immediate mitigation steps include updating Cockpit CMS to version 364 or later, where the vulnerability has been fixed by adding proper path containment checks using realpath() to ensure file paths remain within the designated '.spaces' directory.

If updating is not immediately possible, consider the following temporary measures:

  • Avoid using the PHP built-in development server in production environments, as it does not normalize path traversal sequences.
  • Review and adjust Nginx configurations to ensure that PATH_INFO is properly normalized and that 'merge_slashes' is enabled to prevent raw URI path traversal.
  • Implement web application firewall (WAF) rules to block requests containing suspicious path traversal patterns like '../'.

Monitoring logs for unusual requests with path traversal attempts can also help in early detection and response.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58467. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart