HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical Unauthenticated RCE in Cockpit (CVE‑2026‑4631) Impacts Versions 327‑359

A public exploit for CVE‑2026‑4631 enables unauthenticated remote code execution on Cockpit web console versions 327‑359. The flaw lets attackers inject SSH arguments or username tokens to run arbitrary commands, threatening any organization that uses Cockpit for server management.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 exploit-db.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
4 recommended
📰
Source
exploit-db.com

Unauthenticated Remote Code Execution in Cockpit (CVE‑2026‑4631) Affects Versions 327‑359

What Happened – A newly disclosed CVE‑2026‑4631 allows an unauthenticated attacker to inject arbitrary commands into the Cockpit web console’s SSH handling logic. By crafting a malicious URL (or username field) the attacker can trigger a ProxyCommand or “%r” token injection that executes arbitrary shell commands on the host running Cockpit.

Why It Matters for TPRM

  • The vulnerability provides full system compromise on any server that runs Cockpit without additional network segmentation.
  • Cockpit is bundled with many Linux distributions and is used by cloud‑hosted, on‑prem, and managed‑service environments, expanding the attack surface across multiple supply‑chain tiers.
  • Exploits are publicly available on Exploit‑DB, raising the likelihood of opportunistic attacks against third‑party vendors that rely on Cockpit for remote administration.

Who Is Affected – Cloud‑infrastructure providers, MSPs/MSSPs, SaaS platforms, and any organization that deploys Cockpit (versions 327‑359) for server management – spanning TECH_SAAS, CLOUD_INFRA, MANUF_IND, GOV_PUBLIC, and ENERGY_UTIL sectors.

Recommended Actions

  • Inventory all assets running Cockpit and verify version numbers.
  • Upgrade immediately to a patched release (≥ 360) or apply vendor‑provided mitigations (e.g., disable SSH ProxyCommand usage).
  • Enforce network segmentation so Cockpit UI is not reachable from untrusted networks.
  • Review third‑party contracts to confirm vendors have applied the fix or have alternative remote‑admin solutions.

Technical Notes

  • Attack Vector: Unauthenticated HTTP GET request to /cockpit+=-oProxyCommand=<cmd>/login or username field injection (x; <cmd>; #).
  • CVE: CVE‑2026‑4631 (Remote Code Execution via SSH argument injection).
  • Affected Versions: Cockpit 327‑359, tested on Debian‑based systems.
  • Data Types at Risk: System files, credentials, configuration data, and any data stored on the compromised host.
  • Mitigations: Upgrade, restrict access to Cockpit UI, disable OpenSSH versions < 9.6 on managed hosts, monitor for anomalous ProxyCommand usage.

Source: Exploit‑DB 52572

📰 Original Source
https://www.exploit-db.com/exploits/52572

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →