CVE-2026-38991
Published: 29 April 2026
Summary
CVE-2026-38991 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Felsec (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-38991 affects Cockpit 2.13.5 and earlier versions, stemming from a misconfiguration in the Bucket component's _isFileTypeAllowed function. This vulnerability enables a specially crafted filename to bypass the extension filter, allowing unauthorized file renaming.
An authenticated attacker with low privileges can exploit this issue remotely over the network with low complexity and no user interaction required. Successful exploitation permits renaming arbitrary files to use a .php extension, leading to arbitrary code execution on the underlying server. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability, linked to CWE-434 (Unrestricted Upload of File with Dangerous Type).
Mitigation is available via the Cockpit project's release of version 2.14.0, which addresses this and other vulnerabilities, as detailed in the GitHub release notes. Additional advisory information on this and related issues in Cockpit CMS 2.13.5 is provided in Felsec's security post.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26242
Vulnerability details
Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary…
more
code to be executed on the underlying server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in web CMS allows authenticated bypass of file extension filter to rename/place .php files, directly enabling exploitation of public-facing application (T1190) and deployment of web shell for RCE (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely flaw remediation including patching to Cockpit 2.14.0, which directly fixes the misconfiguration in the _isFileTypeAllowed function.
Mandates information input validation at file upload/rename points to block specially crafted filenames that bypass extension filters.
Ensures secure baseline configuration settings for file handling components like the Bucket _isFileTypeAllowed function to prevent misconfigurations enabling filter bypass.