CVE-2026-4631

Critical

Published: 07 April 2026

Published

07 April 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0394 88.4th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Description

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login…

endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of user-supplied hostnames and usernames before passing to the SSH client, directly preventing command injection exploits.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of flaws like CVE-2026-4631 using Red Hat errata such as RHSA-2026:7381.

SC-7 Boundary Protection partial match

prevent

Monitors and controls communications at external interfaces to restrict network access to the vulnerable Cockpit web service, reducing exploit opportunities.

Security SummaryAI

CVE-2026-4631, published on 2026-04-07, is a critical command injection vulnerability (CWE-78) in Cockpit's remote login feature, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw affects the Cockpit web service, where user-supplied hostnames and usernames provided via the web interface are passed directly to the underlying SSH client without any validation or sanitization.

An attacker requires only network access to the Cockpit web service to exploit this vulnerability. By crafting a single HTTP request to the login endpoint, the attacker can inject malicious SSH options or shell commands during the authentication flow, which occurs before any credential verification. This enables arbitrary code execution on the Cockpit host without valid credentials or prior authentication.

Red Hat has released security errata addressing the vulnerability, including RHSA-2026:7381, RHSA-2026:7382, RHSA-2026:7383, and RHSA-2026:7384. Further details on mitigation and patches are available on the Red Hat CVE page at https://access.redhat.com/security/cve/CVE-2026-4631.

Details

CWE(s): CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a command injection (CWE-78) in the Cockpit web service, enabling unauthenticated arbitrary code execution on a public-facing application via crafted HTTP requests to the login endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://access.redhat.com/errata/RHSA-2026:7381
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:7382
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:7383
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:7384
secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2026-4631
secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2450246
secalert@redhat.com
http://www.openwall.com/lists/oss-security/2026/04/10/5
af854a3a-2127-422b-91ae-364da2661108