CVE-2026-4631
Published: 07 April 2026
Summary
CVE-2026-4631 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of user-supplied hostnames and usernames before passing to the SSH client, directly preventing command injection exploits.
Mandates timely identification, reporting, and patching of flaws like CVE-2026-4631 using Red Hat errata such as RHSA-2026:7381.
Monitors and controls communications at external interfaces to restrict network access to the vulnerable Cockpit web service, reducing exploit opportunities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a command injection (CWE-78) in the Cockpit web service, enabling unauthenticated arbitrary code execution on a public-facing application via crafted HTTP requests to the login endpoint.
NVD Description
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login…
more
endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
Deeper analysisAI
CVE-2026-4631, published on 2026-04-07, is a critical command injection vulnerability (CWE-78) in Cockpit's remote login feature, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw affects the Cockpit web service, where user-supplied hostnames and usernames provided via the web interface are passed directly to the underlying SSH client without any validation or sanitization.
An attacker requires only network access to the Cockpit web service to exploit this vulnerability. By crafting a single HTTP request to the login endpoint, the attacker can inject malicious SSH options or shell commands during the authentication flow, which occurs before any credential verification. This enables arbitrary code execution on the Cockpit host without valid credentials or prior authentication.
Red Hat has released security errata addressing the vulnerability, including RHSA-2026:7381, RHSA-2026:7382, RHSA-2026:7383, and RHSA-2026:7384. Further details on mitigation and patches are available on the Red Hat CVE page at https://access.redhat.com/security/cve/CVE-2026-4631.
Details
- CWE(s)