oss-sec mailing list archives
CVE-2026-4802 [cockpit] Arbitrary code execution in the logs page via a specially crafted link
From: Jelle van der Waa <jelle () vdwaa nl>
Date: Wed, 20 May 2026 20:52:01 +0200
A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise. [1]
The exploit requires the user to be logged in to Cockpit for the exploit to be successful. This has been fixed in Cockpit 362, specifically the linked commit. [2]
An POC is available in the test commit, an example of the exploit is https://cockpiturl:9090/system/logs#/?boot=0;touch${IFS}/tmp/pwned;&priority=err. [3]
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2451155[2] https://github.com/cockpit-project/cockpit/commit/e3a47d70f99a0dbbb427b3146ae9571cecc44296 [3] https://github.com/cockpit-project/cockpit/commit/7b401c90fd775dd89ffce194c947ff2e74f5e5ee
Current thread:
- CVE-2026-4802 [cockpit] Arbitrary code execution in the logs page via a specially crafted link Jelle van der Waa (May 20)