External risk intelligence

Cockpit Unauthenticated Code Execution via Hostname and Username Injection.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-4631

Cockpit is a server management web interface designed to be accessed over the network. Because this vulnerability exists in the web login endpoint and allows for unauthenticated code execution, it affects a component that is commonly deployed as an externally reachable management interface or edge service.

OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects Cockpit's remote login feature, allowing unauthenticated attackers to execute code on the host system by sending a crafted HTTP request. The issue arises from improperly validated user input passed to the SSH client, bypassing credential checks before they occur. The main concern is confirming relevance and exposure given the severity of potential code execution.

  • Unauthenticated attackers can run code remotely.
  • Affects systems with network-accessible management interfaces.
  • Confirm relevance and potential exposure of systems.

Attack Path

How an attacker could exploit the issue

An attacker with network access to the Cockpit web service can target its remote login feature. By sending a specially crafted HTTP request to the login endpoint, the attacker can bypass authentication and inject malicious commands or options. This allows for code execution on the affected host without needing any valid credentials.

  • Network access to web service required.
  • Inject malicious input into login request.
  • Unauthenticated code execution on host.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker with network access to the Cockpit web service to execute arbitrary commands on the host system. The exploit targets the remote login feature by sending a specially crafted HTTP request that injects malicious commands or SSH options, bypassing the need for valid credentials. This could impact the confidentiality, integrity, and availability of the Cockpit host.

  • Host system commands and data.
  • Unauthenticated network request injection.
  • System compromise and data exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for managing Linux systems and their associated web-based administrative interfaces, such as Infrastructure or Platform Engineering teams, should prioritize this issue. The immediate first step is to identify all systems running Cockpit, determine their network exposure, and confirm which are business-critical. Once identified, work with the asset owners to plan remediation based on the assessed risk.

  • Identify affected Cockpit hosts.
  • Verify network exposure and business criticality.
  • Plan risk-based remediation with owners.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Cockpit and why is it used?

Cockpit is a server management tool that provides a web-based interface for Linux systems. It allows administrators to perform tasks like monitoring system performance, managing storage, and configuring network settings through a browser. It is widely used to simplify administrative operations on servers, often serving as a centralized dashboard to interact with the underlying operating system and its services.

What does CVE-2026-4631 mean for system security?

CVE-2026-4631 is categorized as an OS Command Injection vulnerability (CWE-78). It means that Cockpit fails to properly clean up the information a user enters into its login fields. An attacker can manipulate this input to pass malicious commands directly to the system's SSH client. Because this happens during the initial login phase, the system executes these unauthorized commands before checking if the person is allowed to log in.

How does an attacker trigger this vulnerability?

An attacker triggers this by sending a specially crafted HTTP request to the Cockpit web interface's login endpoint. Because the system does not validate the hostname or username input, it treats the malicious payload as legitimate configuration data for the SSH process. Importantly, simply browsing the Cockpit interface or having a valid account does not trigger this; the attacker must intentionally send a modified, non-standard request to the login service.

Why does Halo Surface Signal flag this as an external risk?

Halo Surface Signal identifies this as a significant concern because Cockpit is frequently deployed as an internet-facing management interface. Since the vulnerability allows for unauthenticated code execution via the web service, any Cockpit instance reachable from the network is a potential target. Systems that are exposed to the public internet or broader untrusted networks are at the highest risk, as they do not require any existing credentials to be compromised.

What are the first steps to address this issue?

Start by identifying all servers in your environment that have the Cockpit service enabled. Once you have a list, verify which of these instances are accessible over the network, particularly those reachable from the internet or less secure segments. Prioritize these exposed hosts for remediation. Collaborate with your system owners to review your network access policies and apply the latest security updates provided by your Linux distribution to patch the affected software.

References