CVE-2026-4631
published 2026-04-07CVE-2026-4631: Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.20%
96.1th percentile
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | cockpit | < cockpit 360-1 (sid) | cockpit 360-1 (sid) |
Detection & IOCsextracted from sources · hover to see the quote
url/cockpit+=-oProxyCommand=echo%20CVE-2026-4631%20%3E%20%2Fusr%2Fshare%2Fcockpit%2Fstatic%2F{{filename}}.txt%20%23/login↗
- →Detect exploit attempts by monitoring HTTP GET requests to the Cockpit login endpoint where the URL path contains '-oProxyCommand' or other SSH option flags (strings starting with '-o') injected as the hostname segment between 'cockpit+=' and '/login'. ↗
- →Alert on any HTTP request to '/cockpit+=/login' (or URL-path variants) that includes an 'Authorization: Basic' header with arbitrary or clearly invalid credentials, as this is sufficient to trigger the vulnerable SSH invocation without valid credentials. ↗
- →Monitor for spawning of 'python3 -m cockpit.beiboot' or 'ssh' processes as children of the cockpit-ws process, especially when initiated from unauthenticated or pre-authentication sessions on port 9090. ↗
- →For the username injection vector, detect SSH config use of '%r' in a 'Match exec' directive combined with inbound Cockpit login requests containing shell metacharacters (e.g., ';', '#') in the username field. ↗
- →Use Shodan/FOFA queries 'title:"Cockpit"' or 'title="Cockpit"' to identify exposed Cockpit instances for asset inventory and attack surface reduction. ↗
- →Nuclei template detection: a 401 response with body containing 'authentication-failed' from the injected login URL, followed by a 200 response from '/cockpit/static/<random>.txt' containing the canary string, confirms exploitation. ↗
- →Time-based detection: send a username injection payload with 'sleep 5' and measure response latency; a delay of ≥5 seconds indicates the injected command was executed via the SSH %r token expansion. ↗
- ·Hostname injection (ProxyCommand via URL path) is only exploitable on systems running OpenSSH < 9.6. OpenSSH 9.6+ validates hostnames and rejects shell metacharacters before connection, blocking this attack path. ↗
- ·Username injection is only exploitable if the target system's SSH configuration uses the '%r' (remote username) token within a 'Match exec' directive. This is not part of any default OpenSSH configuration. ↗
- ·Both attack paths require that remote host login is enabled in Cockpit (the default) and that the attacker has network access to the Cockpit web service on port 9090. The vulnerability only exists in Cockpit versions 327–359 (beiboot/OpenSSH path); earlier versions using cockpit-ssh/libssh are not affected. ↗
- ·Red Hat Enterprise Linux 7 and 8 are listed as NOT affected; RHEL 9 and 10 are affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-4631: Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitizatio
osv·2026-04-07·CVSS 9.8
CVE-2026-4631 [CRITICAL] CVE-2026-4631: Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitizatio
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
GHSA
GHSA-rq49-h582-83m7: Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitizatio
ghsa_unreviewed·2026-04-07
CVE-2026-4631 [CRITICAL] CWE-78 GHSA-rq49-h582-83m7: Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitizatio
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
Red Hat
cockpit: Cockpit: Unauthenticated remote code execution due to SSH command-line argument injection
vendor_redhat·2026-04-07·CVSS 9.8
CVE-2026-4631 [CRITICAL] CWE-78 cockpit: Cockpit: Unauthenticated remote code execution due to SSH command-line argument injection
cockpit: Cockpit: Unauthenticated remote code execution due to SSH command-line argument injection
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitizat
Debian
CVE-2026-4631: cockpit - Cockpit's remote login feature passes user-supplied hostnames and usernames from...
vendor_debian·2026·CVSS 9.8
CVE-2026-4631 [CRITICAL] CVE-2026-4631: cockpit - Cockpit's remote login feature passes user-supplied hostnames and usernames from...
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
Scope: local
bookworm: resolved
bullseye: open
forky: open
sid: resolved (fixed in 360-1)
trixie: open
No detection rules found.
Exploit-DB
Cockpit 359 - RCE
exploitdb·2026-05-21·CVSS 9.8
CVE-2026-4631 [CRITICAL] Cockpit 359 - RCE
Cockpit 359 - RCE
---
# Exploit Title: Cockpit 359 - RCE
# Date: 18-04-2026
# Exploit Author: @intx0x80
# Vendor Homepage: https://cockpit-project.org/
# Software Link: https://github.com/cockpit-project/cockpit
# Version: 327-359
# Tested on: Debain
# CVE : CVE-2026-4631
import base64
import argparse
import requests
import urllib3
import urllib.parse
import sys
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
RED = "\033[91m"
GREEN = "\033[92m"
YELLOW = "\033[93m"
CYAN = "\033[96m"
BOLD = "\033[1m"
RESET = "\033[0m"
def banner():
print(f"""{CYAN}{BOLD}
╔══════════════════════════════════════════════════════════════╗
║ CVE-2026-4631 - Cockpit SSH Argument Injection ║
║ Unauthenticated Remote Code Execution ║
╚════════════════════════════════════════════════════════
Nuclei
Cockpit Web Console < 360 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2026-4631 [CRITICAL] Cockpit Web Console < 360 - Remote Code Execution
Cockpit Web Console < 360 - Remote Code Execution
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
Template:
id: CVE-2026-4631
info:
name: Cockpit Web Console < 360 - Remote Code Execution
author: DhiyaneshDk
severity: critical
description: |
Cockpit's remote login feature passes user-supplied
Wiz
CVE-2026-4631 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.0
CVE-2026-4631 [CRITICAL] CVE-2026-4631 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4631 :
Linux Debian vulnerability analysis and mitigation
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
Source : NVD
## 9.8
Score
Published April 7, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Linux Debian
Linux Fedora
Has Public Exploit No
Has CISA KEV
Bugzilla
CVE-2026-4631 cockpit: Cockpit: Unauthenticated remote code execution due to SSH command-line argument injection
bugzilla·2026-04-15·CVSS 9.8
CVE-2026-4631 [CRITICAL] CVE-2026-4631 cockpit: Cockpit: Unauthenticated remote code execution due to SSH command-line argument injection
CVE-2026-4631 cockpit: Cockpit: Unauthenticated remote code execution due to SSH command-line argument injection
+++ This bug was initially created as a clone of Bug #2450246 +++
By default, Cockpit supports logging into remote machines via SSH
(https://github.com/cockpit-project/cockpit/blob/main/doc/authentication.md#remote-machines).
While previous Cockpit versions used the dedicated cockpit-ssh helper
(based on libssh), Cockpit since version 326/327 executes "python3 -m
cockpit.beiboot", which in turn invokes the OpenSSH "ssh" client to
connect to remote machines. The SSH "connect to" feature is available
prior to authentication, meaning an attacker with access to the Cockpit
webservice can trigger the execution of ssh on the Cockpit host. To be
precise: the beiboot process is spawne
Bugzilla
CVE-2026-4631 cockpit: Cockpit: Unauthenticated remote code execution due to SSH command-line argument injection
bugzilla·2026-03-23·CVSS 9.8
CVE-2026-4631 [CRITICAL] CVE-2026-4631 cockpit: Cockpit: Unauthenticated remote code execution due to SSH command-line argument injection
CVE-2026-4631 cockpit: Cockpit: Unauthenticated remote code execution due to SSH command-line argument injection
By default, Cockpit supports logging into remote machines via SSH
(https://github.com/cockpit-project/cockpit/blob/main/doc/authentication.md#remote-machines).
While previous Cockpit versions used the dedicated cockpit-ssh helper
(based on libssh), Cockpit since version 326/327 executes "python3 -m
cockpit.beiboot", which in turn invokes the OpenSSH "ssh" client to
connect to remote machines. The SSH "connect to" feature is available
prior to authentication, meaning an attacker with access to the Cockpit
webservice can trigger the execution of ssh on the Cockpit host. To be
precise: the beiboot process is spawned as part of the authentication
flow, but the attacker only needs t
https://access.redhat.com/errata/RHSA-2026:7381https://access.redhat.com/errata/RHSA-2026:7382https://access.redhat.com/errata/RHSA-2026:7383https://access.redhat.com/errata/RHSA-2026:7384https://access.redhat.com/security/cve/CVE-2026-4631https://bugzilla.redhat.com/show_bug.cgi?id=2450246http://www.openwall.com/lists/oss-security/2026/04/10/5https://access.redhat.com/errata/RHSA-2026:7381https://access.redhat.com/errata/RHSA-2026:7382https://access.redhat.com/errata/RHSA-2026:7383https://access.redhat.com/errata/RHSA-2026:7384https://access.redhat.com/security/cve/CVE-2026-4631https://bugzilla.redhat.com/show_bug.cgi?id=2450246https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4631.json
2026-04-07
Published