Cockpit CMS collection rules written to disk and executed via include()
TL;DR - POST /cockpit/collections/save_collection accepts user-supplied rules, writes them to a .php file on disk, then loads that file with include(). Any authenticated user with collection management privileges can drop arbitrary PHP and execute it remotely.
What happened
Cockpit CMS is a PHP-based headless CMS that lets administrators define data collections and attach server-side validation rules to them.
VulnCheck disclosed CVE-2026-34965: the save_collection endpoint takes user-controlled rules from the request body, persists them into a .php rulefile on the server, and later loads that file via include(). The result is remote code execution for anyone holding collection management privileges.
A published proof-of-concept confirms the exploit is straightforward. Craft a JSON payload where the rules string contains PHP - for example system($_GET['cmd']); - then trigger rule evaluation. That's it.
| Item | Detail |
|---|---|
| Affected component | Cockpit CMS collections rules handling (/cockpit/collections/save_collection) |
| Affected versions | Cockpit CMS <= commit 494765e |
| Severity | CVSS v4.0 8.7 (High) |
| CVSS vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-94 |
This is one of the worst patterns you can find in a PHP admin surface: user input persisted as executable PHP, then loaded unconditionally with include(). One compromised or over-privileged account becomes full server execution. There is no sandboxing, no validation, no middle layer to slow an attacker down.
Who is impacted
- Any deployment running Cockpit CMS at or before
commit 494765e. - Environments where non-admin users or delegated roles have collection management privileges. That is a common configuration - content modellers and developers often get collection-editing access without platform-admin rights.
- Instances where the Cockpit admin panel is reachable from untrusted networks. Credential theft or password reuse against an exposed panel converts directly to server compromise.
Authentication is a meaningful barrier in theory. In practice, many organisations widen collection management access deliberately. This bug collapses that privilege boundary entirely.
What to do now
- Patch first. Move to a Cockpit CMS revision beyond
commit 494765e."Affecting: Cockpit CMS <= commit 494765e"
- Tighten access to collection management features. Treat the ability to edit collection rules the same way you'd treat the ability to deploy code - because here it is.
- Hunt for rulefile-based webshells:
- Look for unexpected or recently modified files under collection rule storage paths (for example
storage/collections/rules/) - Review request logs for unusual access to rule file paths or query strings that look like shell command parameters
- Look for unexpected or recently modified files under collection rule storage paths (for example
- If you suspect exploitation, treat it as a full server compromise:
- Rotate every secret accessible to the Cockpit process - database credentials, API keys, service tokens
- Review server-side logs for admin actions around collection saves and any privilege changes in the same window
- Rebuild from known-good artifacts after patching rather than attempting surgical file removal
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.