CVE-2026-31891
published 2026-03-18CVE-2026-31891: Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by…
PriorityP345medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.40%
31.6th percentile
Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly accessible or reachable by untrusted users may be vulnerable, and attackers in possession of a valid read-only API key (the lowest privilege level) can exploit this vulnerability — no admin access is required. An attacker can inject arbitrary SQL via unsanitized field names in aggregation queries, bypass the `_state=1` published-content filter to access unpublished or restricted content, and extract unauthorized data from the underlying SQLite content database. This vulnerability has been patched in version 2.13.5. The fix applies the same field-name sanitization introduced in v2.13.3 for `toJsonPath()` to the `toJsonExtractRaw()` method in `lib/MongoLite/Aggregation/Optimizer.php`, closing the injection vector in the Aggregation Optimizer.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| agentejo | cockpit | < 2.13.5 | 2.13.5 |
| cockpit-hq | cockpit | < 2.13.5 | 2.13.5 |
| cockpit-hq | cockpit | >= 0 < 2.13.5 | 2.13.5 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-31891: Cockpit is a headless content management system
osv·2026-03-18·CVSS 6.5
CVE-2026-31891 [MEDIUM] CVE-2026-31891: Cockpit is a headless content management system
Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly accessible or reachable by untrusted users may be vulnerable, and attackers in possession of a valid read-only API key (the lowest privilege level) can exploit this vulnerability — no admin access is required. An attacker can inject arbitrary SQL via unsanitized field names in aggregation queries, bypass the `_state=1` published-content filter to access unpublished or restricted content, and extract unauthorized data from the underlying SQLite content database. This vulnerability has b
GHSA
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
ghsa·2026-03-17
CVE-2026-31891 [HIGH] CWE-89 Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
### Impact
This is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer.
Any Cockpit CMS instance running version **2.13.4 or earlier** with API access enabled
is potentially affected.
**Who is impacted:**
- Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly
accessible or reachable by untrusted users.
- Attackers in possession of a **valid read-only API key** (the lowest privilege level)
can exploit this vulnerability — no admin access is required.
**What an attacker can do:**
- Inject arbitrary SQL via unsanitized field names in aggregation queries.
- Bypass the `_state=1` published-content filter to access unpublished or restricted content.
- Extract un
OSV
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
osv·2026-03-17
CVE-2026-31891 [HIGH] Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
### Impact
This is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer.
Any Cockpit CMS instance running version **2.13.4 or earlier** with API access enabled
is potentially affected.
**Who is impacted:**
- Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly
accessible or reachable by untrusted users.
- Attackers in possession of a **valid read-only API key** (the lowest privilege level)
can exploit this vulnerability — no admin access is required.
**What an attacker can do:**
- Inject arbitrary SQL via unsanitized field names in aggregation queries.
- Bypass the `_state=1` published-content filter to access unpublished or restricted content.
- Extract un
No detection rules found.
No public exploits indexed.
2026-03-18
Published