Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <54bd25e5-72fd-49b0-8e69-b4d0a20810a5@vdwaa.nl>
Date: Wed, 20 May 2026 20:52:01 +0200
From: Jelle van der Waa <jelle@...aa.nl>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-4802 [cockpit] Arbitrary code execution in the logs page via
 a specially crafted link

A flaw was found in Cockpit. This vulnerability allows a remote attacker 
to achieve arbitrary command execution on the host by exploiting 
unsanitized user-controlled parameters within crafted links in the 
system logs user interface (UI). An attacker can inject shell 
metacharacters and command substitutions into these parameters, leading 
to the execution of arbitrary shell commands on the affected system. 
This could result in a complete system compromise. [1]

The exploit requires the user to be logged in to Cockpit for the exploit 
to be successful. This has been fixed in Cockpit 362, specifically the 
linked commit. [2]

An POC is available in the test commit, an example of the exploit is 
https://cockpiturl:9090/system/logs#/?boot=0;touch${IFS}/tmp/pwned;&priority=err. 
[3]

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2451155
[2] 
https://github.com/cockpit-project/cockpit/commit/e3a47d70f99a0dbbb427b3146ae9571cecc44296
[3] 
https://github.com/cockpit-project/cockpit/commit/7b401c90fd775dd89ffce194c947ff2e74f5e5ee

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.