Cyber Posture

CVE-2026-24893

High

Published: 14 April 2026

Published
14 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 63.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS…

more

commands on the monitoring backend. The vulnerability arises because user-controlled host attributes (specifically the host address) are expanded into monitoring command templates without validation, escaping, or quoting. These templates are later executed by the monitoring engine (Nagios/Icinga) via a shell, resulting in remote code execution. Version 5.5.2 patches the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of user-controlled host attributes like the host address before expansion into shell-executed monitoring command templates, directly preventing command injection.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific flaw by patching to version 5.5.2, which fixes the unsafe input expansion in command templates.

SI-9 Information Input Restrictions partial match
prevent

Restricts host address inputs to intended types and formats, reducing the risk of injecting command separators or payloads into monitoring templates.

Security SummaryAI

CVE-2026-24893 is a command injection vulnerability in openITCOCKPIT Community Edition, an open source monitoring tool for engines like Nagios and Icinga, affecting versions prior to 5.5.2. The issue stems from user-controlled host attributes, particularly the host address, being directly expanded into monitoring command templates without proper validation, escaping, or quoting. These templates are subsequently executed by the monitoring engine via a shell, enabling remote code execution on the backend server.

An authenticated attacker with permissions to add or modify hosts can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious content into the host address field, the attacker causes arbitrary operating system commands to execute in the context of the monitoring engine process, potentially granting high confidentiality, integrity, and availability impacts as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The flaw is linked to CWE-20 (Improper Input Validation) and CWE-78 (OS Command Injection).

Advisories from the openITCOCKPIT project recommend upgrading to version 5.5.2, which patches the vulnerability by addressing the unsafe expansion of host attributes in command templates. Details are available in the GitHub security advisory (GHSA-789q-pw85-j2q2), the release notes for version 5.5.2, and a related blog post on openitcockpit.io.

Details

CWE(s)
CWE-20CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

The vulnerability is a command injection in a network-accessible web monitoring application (openITCOCKPIT), enabling exploitation of public-facing applications (T1190) to achieve remote code execution via shell commands (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References