External risk intelligence

Attacker can run any command on your systems using Cockpit CMS.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38992

A critical flaw in Cockpit CMS allows anyone on the internet to run any command on your servers, potentially giving them full control. This is a serious risk and needs immediate attention.

4Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-38992

Cockpit is a content management system, which is typically deployed as an internet-facing web application. The vulnerability exists within the application's API endpoints, which are designed to be reachable via web requests. Given that CMS platforms are intended to be accessible to users or administrators over the network, it is common for this surface to be exposed to the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Cockpit allows an attacker to execute arbitrary system commands by manipulating the filter parameter in certain API endpoints. This means an attacker could potentially gain control over the underlying infrastructure hosting the application without needing any special privileges.

Affects internet-facing systems.
Allows unauthorized command execution.
Requires no prior access.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this flaw to execute arbitrary code on a vulnerable Cockpit CMS server. By crafting a malicious request targeting specific API endpoints, an attacker could leverage the vulnerability to run commands on the underlying operating system.

No authentication required.
Filter parameter in API endpoints.
Exploits MongoLite $func operator.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for arbitrary code execution by exploiting a filter parameter in Cockpit CMS. Attackers can leverage this to execute system commands, making it a prime target for exploitation. The nature of the vulnerability, allowing direct command execution, generally makes it highly desirable for threat actors.

Exploitation is likely due to system command execution.
Public exploit code has not been observed.
The vulnerability is in a web application, often internet-facing.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking network access to all Cockpit CMS instances, as this critical vulnerability allows unauthenticated remote code execution via its API endpoints. If blocking network access is not feasible, implement strict IP allowlisting or Web Application Firewall rules to filter requests targeting vulnerable API endpoints. Monitor logs for any signs of exploitation attempts, such as suspicious filter parameter usage.

Block all network access.
Allowlist IP addresses.
Monitor for suspicious filter parameters.

Frequently asked questions

What is Cockpit CMS and its primary function?

Cockpit CMS is a self-hosted, developer-focused headless content management system. It is used for managing and publishing website content, offering significant flexibility and control over the content infrastructure. Developers utilize it to build custom content models that can be integrated with various frontend and mobile applications through APIs.

What is the weakness class for CVE-2026-38992 and how does it impact Cockpit CMS?

The weakness class for CVE-2026-38992 is CWE-94, known as Code Injection. This vulnerability affects Cockpit CMS versions 2.13.5 and earlier, enabling attackers to execute arbitrary system commands by manipulating the 'filter' parameter. This is achieved by exploiting the MongoLite $func operator.

How can an attacker exploit CVE-2026-38992 in Cockpit CMS?

An unauthenticated attacker can exploit this flaw by sending a specially crafted request to specific API endpoints within Cockpit CMS. By manipulating the 'filter' parameter, the attacker can leverage the MongoLite $func operator to execute arbitrary system commands on the underlying server.

How does the internet-facing nature of Cockpit CMS affect the relevance of CVE-2026-38992?

Cockpit CMS is a content management system typically deployed as an internet-facing web application. The vulnerability lies within its API endpoints, which are designed to be accessible via web requests. This means the attack surface is often exposed to the public internet, increasing the relevance and potential impact of this CVE.

What are the recommended steps to mitigate the risk of CVE-2026-38992 in Cockpit CMS?

To mitigate this critical vulnerability, it is highly recommended to block all network access to Cockpit CMS instances if possible. If blocking network access is not feasible, implement strict IP allowlisting or configure Web Application Firewall rules to filter requests targeting the vulnerable API endpoints. Continuous monitoring of logs for suspicious activity, such as unusual filter parameter usage, is also advised.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.