Introduction
An unauthenticated command injection in Cockpit's remote login feature allows any network attacker to achieve code execution on the host with a single HTTP request, no credentials required. With a CVSS score of 9.8 and Cockpit deployed across Fedora, RHEL, CentOS, Debian, Ubuntu, and other major Linux distributions, this vulnerability has a broad blast radius for organizations relying on web based server administration.
Cockpit is a free and open source web based remote administration tool for Linux servers, sponsored by Red Hat. It ships by default or is readily available in package repositories for most major enterprise Linux distributions, making it one of the more widely deployed server management interfaces in the Linux ecosystem. Its role as a privileged administration interface means that a compromise of Cockpit typically equates to full control of the underlying server.
Technical Information
The root cause of CVE-2026-4631 is an OS command injection (CWE-78) in the authentication pipeline of the Cockpit web service component, cockpit-ws. When a user attempts to log in, cockpit-ws examines the Authorization header on requests to the login endpoint and spawns a session command with the target host as an argument. The remote login feature passes user supplied hostnames and usernames directly to the SSH client without any validation or sanitization.
Because the injected data flows into a command execution context, an attacker can embed malicious SSH options or shell metacharacters within the hostname or username fields of the authentication request. The critical detail here is timing: the Pluggable Authentication Modules (PAM) have not yet completed credential verification when the session command is spawned. This means the injection executes before any authentication check occurs.
Attack Flow
The exploitation sequence is straightforward:
- The attacker identifies a network accessible Cockpit instance, typically listening on port 9090.
- The attacker crafts a single HTTP request to the login endpoint, embedding a malicious payload in the hostname or username field within the
Authorizationheader. cockpit-wsparses the request and passes the unsanitized input as an argument when spawning the SSH session command.- The injected SSH options or shell commands execute on the Cockpit host with the privileges of the
cockpit-wsprocess. - The entire chain completes before PAM performs any credential verification, so no valid username or password is needed.
The attack vector is network based, the complexity is low, and no user interaction or prior privileges are required. These characteristics collectively produce the CVSS 9.8 base score.
Why This Matters Architecturally
Cockpit's design intentionally delegates authentication to SSH and PAM. The web service acts as a bridge: it receives credentials over HTTPS and relays them to an SSH session on the backend. This architecture means that the hostname and username values are not merely metadata; they are operands in a command that gets executed on the system. The absence of input sanitization at this boundary turns a login form into a command injection surface.
Affected Systems and Versions
The vulnerability affects the Cockpit web service (cockpit-ws) with the remote login feature enabled. Specific affected version numbers have not been published in the available advisories at the time of writing. The following configurations are known to be vulnerable:
- Cockpit installations where the
LoginToconfiguration option is not explicitly set tofalse(remote login is enabled by default in many deployments) - Cockpit instances accessible over the network (default port 9090)
- Deployments across Fedora Linux, Red Hat Enterprise Linux, CentOS, Debian, OpenSUSE, Arch Linux, and Ubuntu where Cockpit is installed and running
Organizations should monitor the Red Hat Bugzilla ticket and NVD entry for updates on exact version ranges as the vendor publishes more detailed advisories.
Mitigation Strategies
Since no official patch has been confirmed, administrators should apply configuration level controls to neutralize the vulnerable code path:
Disable Remote Login: Set LoginTo to false in cockpit.conf. This is the most direct mitigation, as it disables the remote login feature entirely and eliminates the injection pathway.
Disable Multi Host Access: Ensure AllowMultiHost is set to false in cockpit.conf to prevent cross host session connections.
Restrict Network Binding: Configure ListenStream in the systemd socket drop in file so that cockpit-ws only listens on specific trusted IP addresses, not all interfaces.
Apply Firewall Rules: Use firewalld and SELinux port definitions to restrict inbound traffic to the Cockpit port from trusted networks only.
These controls should be treated as interim measures. Organizations should monitor Red Hat Bugzilla ticket 2450246 for official patch releases.
Vendor Security History
The Cockpit development team has a track record of proactively addressing security concerns in the project's architecture. Notably, the team recently decided to deprecate the host switcher feature by default in newer distributions due to inherent security risks associated with cross host interactions and limitations of web technology in that context. This decision, documented in the Cockpit 322 release notes, demonstrates a willingness to reduce attack surface when architectural vulnerabilities are identified, even at the cost of removing user facing functionality.
