cbcvebase.
CVE-2026-4631
published 2026-04-07

CVE-2026-4631: Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.20%
96.1th percentile
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
debiancockpit< cockpit 360-1 (sid)cockpit 360-1 (sid)

Detection & IOCsextracted from sources · hover to see the quote

url/cockpit+=-oProxyCommand=echo%20CVE-2026-4631%20%3E%20%2Fusr%2Fshare%2Fcockpit%2Fstatic%2F{{filename}}.txt%20%23/login
path/cockpit+=/login
port9090
commandpython3 -m cockpit.beiboot
commandpython3 -ic '# cockpit-bridge'
path/usr/share/cockpit/static/
path/cockpit/static/
otherAuthorization: Basic Og==
  • Detect exploit attempts by monitoring HTTP GET requests to the Cockpit login endpoint where the URL path contains '-oProxyCommand' or other SSH option flags (strings starting with '-o') injected as the hostname segment between 'cockpit+=' and '/login'.
  • Alert on any HTTP request to '/cockpit+=/login' (or URL-path variants) that includes an 'Authorization: Basic' header with arbitrary or clearly invalid credentials, as this is sufficient to trigger the vulnerable SSH invocation without valid credentials.
  • Monitor for spawning of 'python3 -m cockpit.beiboot' or 'ssh' processes as children of the cockpit-ws process, especially when initiated from unauthenticated or pre-authentication sessions on port 9090.
  • For the username injection vector, detect SSH config use of '%r' in a 'Match exec' directive combined with inbound Cockpit login requests containing shell metacharacters (e.g., ';', '#') in the username field.
  • Use Shodan/FOFA queries 'title:"Cockpit"' or 'title="Cockpit"' to identify exposed Cockpit instances for asset inventory and attack surface reduction.
  • Nuclei template detection: a 401 response with body containing 'authentication-failed' from the injected login URL, followed by a 200 response from '/cockpit/static/<random>.txt' containing the canary string, confirms exploitation.
  • Time-based detection: send a username injection payload with 'sleep 5' and measure response latency; a delay of ≥5 seconds indicates the injected command was executed via the SSH %r token expansion.
  • ·Hostname injection (ProxyCommand via URL path) is only exploitable on systems running OpenSSH < 9.6. OpenSSH 9.6+ validates hostnames and rejects shell metacharacters before connection, blocking this attack path.
  • ·Username injection is only exploitable if the target system's SSH configuration uses the '%r' (remote username) token within a 'Match exec' directive. This is not part of any default OpenSSH configuration.
  • ·Both attack paths require that remote host login is enabled in Cockpit (the default) and that the attacker has network access to the Cockpit web service on port 9090. The vulnerability only exists in Cockpit versions 327–359 (beiboot/OpenSSH path); earlier versions using cockpit-ssh/libssh are not affected.
  • ·Red Hat Enterprise Linux 7 and 8 are listed as NOT affected; RHEL 9 and 10 are affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.