CVE-2026-4631 CRITICAL

CVE-2026-4631: Cockpit: cockpit: unauthenticated remote code execution due to ssh command-line argument injection

Vendor Red Hat

Product Red Hat Enterprise Linux 7

Weakness CWE-78

Published April 7, 2026

Last update June 29, 2026

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

Key dates

02Disclosure timeline

April 7, 2026 CVE published

June 29, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-4631

Related vulnerabilities

Identifiers

CVE CVE-2026-4631

CWE CWE-78

CVSS 9.8 / CRITICAL

Affected versions

Vendor Red Hat

Product Red Hat Enterprise Linux 7

Affected All versions

Vendor Red Hat

Product Red Hat Enterprise Linux 8

Affected All versions

CVE-2026-4631: Cockpit: cockpit: unauthenticated remote code execution due to ssh command-line argument injection

01Description

02Disclosure timeline

03References

04Related CVE