CVE-2026-4631

High PUBLISHED

Cockpit: cockpit: unauthenticated remote code execution due to ssh command-line argument injection

Red Hat · Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 10.0 Extended Update Support, Red Hat Enterprise Linux 9, Red Hat Enterprise Linux 9.6 Extended Update Support, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8

Not yet in CISA KEV

Exploited in the wild PoC available

Recommended Action

Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.

Confidence
High
Exploitation Status
Exploited in the wild
Observed in Sensors
No
Attempts (30d)
Unique Attacker IPs
CISA KEV
Not yet in CISA KEV
CVSS / EPSS
9.8 Critical EPSS 14.2%

At a Glance

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

linux
CVE Published
Apr 07, 2026
Exploitation Reported
Jul 08, 2026
CVSS
9.8 Critical
EPSS
14.2%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
Red Hat
Red Hat Enterprise Linux AppStream EUS (v. 10.0)

All versions (default: affected)

Affected
Red Hat
Red Hat Enterprise Linux AppStream (v. 10)

All versions (default: affected)

Affected
Red Hat
Red Hat Enterprise Linux AppStream EUS (v.9.6)

All versions (default: affected)

Affected
Red Hat
Red Hat Enterprise Linux AppStream (v. 9)

All versions (default: affected)

Affected
Red Hat
Red Hat Enterprise Linux BaseOS EUS (v. 10.0)

All versions (default: affected)

Affected
Red Hat
Red Hat Enterprise Linux BaseOS (v. 10)

All versions (default: affected)

Affected
Red Hat
Red Hat Enterprise Linux BaseOS EUS (v.9.6)

All versions (default: affected)

Affected
Red Hat
Red Hat Enterprise Linux BaseOS (v. 9)

All versions (default: affected)

Affected
Red Hat
Red Hat Enterprise Linux 7

All versions (default: unaffected)

Unaffected
Red Hat
Red Hat Enterprise Linux 8

All versions (default: unaffected)

Unaffected
Red Hat
Red Hat Enterprise Linux 10

cockpit

0:344-3.el10_1 to < *

Unaffected
Red Hat
Red Hat Enterprise Linux 10.0 Extended Update Support

cockpit

0:334.1-3.el10_0 to < *

Unaffected
Red Hat
Red Hat Enterprise Linux 9

cockpit

0:344-2.el9_7 to < *

Unaffected
Red Hat
Red Hat Enterprise Linux 9

cockpit

0:344-2.el9_7 to < *

Unaffected
Red Hat
Red Hat Enterprise Linux 9.6 Extended Update Support

cockpit

0:334.2-2.el9_6 to < *

Unaffected
Red Hat
Red Hat Enterprise Linux 7

cockpit

All versions (default: unaffected)

Unaffected
Red Hat
Red Hat Enterprise Linux 8

cockpit

All versions (default: unaffected)

Unaffected

CVE References

  • RHSA-2026:7381 access.redhat.com · Vendor Advisory https://access.redhat.com/errata/RHSA-2026:7381
  • RHSA-2026:7382 access.redhat.com · Vendor Advisory https://access.redhat.com/errata/RHSA-2026:7382
  • RHSA-2026:7383 access.redhat.com · Vendor Advisory https://access.redhat.com/errata/RHSA-2026:7383
  • RHSA-2026:7384 access.redhat.com · Vendor Advisory https://access.redhat.com/errata/RHSA-2026:7384
  • RHBZ#2450246 bugzilla.redhat.com · Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2450246
Show 1 more reference

Recommended Actions

  • Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.