Cyber Resilience

CVE-2026-4631

CriticalRCEUpdated

Published: 07 April 2026

Published
07 April 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1389 96.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4631 is a critical-severity OS Command Injection (CWE-78) vulnerability in Redhat (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

Cockpit's remote login feature is vulnerable to command injection because it passes user-supplied hostnames and usernames directly to the SSH client without validation or sanitization. The affected component is the Cockpit web service, which handles authentication flows for remote host access. The flaw is tracked as CWE-78 and carries a CVSS 3.1 score of 9.8.

An attacker with network access to the Cockpit web interface can exploit the issue by sending a single crafted HTTP request to the login endpoint. Because the injection occurs before any credential checks, no valid login is required; successful exploitation results in arbitrary code execution on the Cockpit host itself.

Red Hat has published errata RHSA-2026:7381 through RHSA-2026:7384 and a corresponding CVE entry that address the vulnerability. The current EPSS score of 0.3039 has shown no material increase since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login…

more

endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a command injection (CWE-78) in the Cockpit web service, enabling unauthenticated arbitrary code execution on a public-facing application via crafted HTTP requests to the login endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-43984Shared CWE-78
CVE-2026-34176Shared CWE-78
CVE-2026-47294Shared CWE-78
CVE-2020-37125Shared CWE-78
CVE-2024-49601Shared CWE-78
CVE-2025-62354Shared CWE-78
CVE-2022-50596Shared CWE-78
CVE-2025-56819Shared CWE-78
CVE-2025-48703Shared CWE-78
CVE-2026-25111Shared CWE-78

Affected Assets

Redhat
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of user-supplied hostnames/usernames before they are passed to the SSH client, blocking the command injection at the login endpoint.

prevent

Enforces access-control decisions on all inputs to the remote-login flow, ensuring unauthenticated or malformed requests cannot trigger SSH command execution.

prevent

Restricts network access to the Cockpit web service, reducing the attack surface for unauthenticated HTTP requests that exploit the unsanitized login parameters.

References