Unauthenticated Remote Code Execution in Cockpit (CVE‑2026‑4631) Affects Versions 327‑359
What Happened – A newly disclosed CVE‑2026‑4631 allows an unauthenticated attacker to inject arbitrary commands into the Cockpit web console’s SSH handling logic. By crafting a malicious URL (or username field) the attacker can trigger a ProxyCommand or “%r” token injection that executes arbitrary shell commands on the host running Cockpit.
Why It Matters for TPRM –
- The vulnerability provides full system compromise on any server that runs Cockpit without additional network segmentation.
- Cockpit is bundled with many Linux distributions and is used by cloud‑hosted, on‑prem, and managed‑service environments, expanding the attack surface across multiple supply‑chain tiers.
- Exploits are publicly available on Exploit‑DB, raising the likelihood of opportunistic attacks against third‑party vendors that rely on Cockpit for remote administration.
Who Is Affected – Cloud‑infrastructure providers, MSPs/MSSPs, SaaS platforms, and any organization that deploys Cockpit (versions 327‑359) for server management – spanning TECH_SAAS, CLOUD_INFRA, MANUF_IND, GOV_PUBLIC, and ENERGY_UTIL sectors.
Recommended Actions –
- Inventory all assets running Cockpit and verify version numbers.
- Upgrade immediately to a patched release (≥ 360) or apply vendor‑provided mitigations (e.g., disable SSH ProxyCommand usage).
- Enforce network segmentation so Cockpit UI is not reachable from untrusted networks.
- Review third‑party contracts to confirm vendors have applied the fix or have alternative remote‑admin solutions.
Technical Notes –
- Attack Vector: Unauthenticated HTTP GET request to
/cockpit+=-oProxyCommand=<cmd>/loginor username field injection (x; <cmd>; #). - CVE: CVE‑2026‑4631 (Remote Code Execution via SSH argument injection).
- Affected Versions: Cockpit 327‑359, tested on Debian‑based systems.
- Data Types at Risk: System files, credentials, configuration data, and any data stored on the compromised host.
- Mitigations: Upgrade, restrict access to Cockpit UI, disable OpenSSH versions < 9.6 on managed hosts, monitor for anomalous ProxyCommand usage.
Source: Exploit‑DB 52572