Unauthenticated Cockpit RCE via SSH argument injection
TL;DR — Cockpit’s pre-auth “remote login” flow can be abused to pass attacker-controlled values into ssh, enabling unauthenticated remote code execution on the Cockpit host in vulnerable configurations.
What happened
Cockpit is a web-based server administration UI commonly deployed on Linux systems. An oss-security disclosure for CVE-2026-4631 describes a Critical unauthenticated remote code execution issue in Cockpit’s remote login feature, where user-supplied hostnames and usernames from the web interface are passed to the OpenSSH ssh client without validation/sanitization.
The report describes exploitation via a single crafted HTTP request to a login endpoint (e.g., "/cockpit+=<hostname>/login") with an arbitrary Authorization: Basic header, triggering the ssh invocation during the authentication flow before credential verification.
| Item | Source value |
|---|---|
| Affected software | cockpit |
| Impact | Unauthenticated remote code execution on the Cockpit host |
| Attack vector | Network (pre-auth login endpoint triggers ssh) |
| Severity (GitHub advisory) | Critical, CVSS v3.1 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| CWE (GitHub advisory) | CWE-78 (OS Command Injection) |
| Affected versions (GitHub advisory) | > 326 |
| Patched version (GitHub advisory) | 360 |
This is a high-risk pattern for platform teams because it’s pre-auth code execution in a management-plane web service: once exposed beyond trusted networks, scanning and opportunistic exploitation typically follow quickly.
Who is impacted
- Systems running
cockpitversions> 326(per the linked GitHub advisory referenced in the oss-security post). - Deployments where Cockpit’s remote login / connect via SSH feature is enabled and reachable by an attacker with network access to the Cockpit web service.
- Higher-risk configurations called out in the disclosure, including:
- Hosts with OpenSSH client configurations that use
%rin aMatch execdirective (username-based injection path). - Hosts running OpenSSH versions that lack early hostname validation (hostname/option injection path described as mitigated by OpenSSH
>= 9.6).
- Hosts with OpenSSH client configurations that use
What to do now
- Follow vendor remediation guidance and apply the patched release referenced by the upstream advisory.
"Upgrade to 360. You can alternatively backport the patches"
- If you cannot immediately upgrade, consider the vendor-documented mitigation to reduce exposure of the feature:
"A workaround is disabling LoginTo option in cockpit.conf"
- Treat this as an internet-exposure issue:
- Verify Cockpit web endpoints are not exposed to untrusted networks (management-plane segmentation, firewalling, allowlists).
- Review access logs for unexpected requests to
"/cockpit+=.../login"patterns that could indicate probing. - If compromise is suspected, assume host-level impact (credential exposure and persistence) and respond accordingly (forensics + credential rotation).
Additional Information
- Upstream GitHub advisory (patch links and CVSS details):
GHSA-m4gv-x78h-3427. - Red Hat bugzilla reference is linked from the disclosure for deeper technical details and downstream patch tracking.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.