Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
Weakness Type (CWE)
References 7
https://access.redhat.com/security/cve/CVE-2026-4631
secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2450246
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:7381
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:7382
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:7383
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:7384
secalert@redhat.com
http://www.openwall.com/lists/oss-security/2026/04/10/5
af854a3a-2127-422b-91ae-364da2661108