CVE-2026-4631
Published: 07 April 2026
Summary
CVE-2026-4631 is a critical-severity OS Command Injection (CWE-78) vulnerability in Redhat (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
Cockpit's remote login feature is vulnerable to command injection because it passes user-supplied hostnames and usernames directly to the SSH client without validation or sanitization. The affected component is the Cockpit web service, which handles authentication flows for remote host access. The flaw is tracked as CWE-78 and carries a CVSS 3.1 score of 9.8.
An attacker with network access to the Cockpit web interface can exploit the issue by sending a single crafted HTTP request to the login endpoint. Because the injection occurs before any credential checks, no valid login is required; successful exploitation results in arbitrary code execution on the Cockpit host itself.
Red Hat has published errata RHSA-2026:7381 through RHSA-2026:7384 and a corresponding CVE entry that address the vulnerability. The current EPSS score of 0.3039 has shown no material increase since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19814
Vulnerability details
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login…
more
endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a command injection (CWE-78) in the Cockpit web service, enabling unauthenticated arbitrary code execution on a public-facing application via crafted HTTP requests to the login endpoint.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of user-supplied hostnames/usernames before they are passed to the SSH client, blocking the command injection at the login endpoint.
Enforces access-control decisions on all inputs to the remote-login flow, ensuring unauthenticated or malformed requests cannot trigger SSH command execution.
Restricts network access to the Cockpit web service, reducing the attack surface for unauthenticated HTTP requests that exploit the unsanitized login parameters.