{"id":"UBUNTU-CVE-2026-4631","details":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","modified":"2026-05-20T16:26:10.226282688Z","published":"2026-04-07T17:16:00Z","upstream":["CVE-2026-4631"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-4631"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2026-4631"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450246"},{"type":"REPORT","url":"https://github.com/cockpit-project/cockpit/pull/23105"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-4631"}],"affected":[{"package":{"name":"cockpit","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/cockpit?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["151-1","156-1","157-1","158-1","160-1","161-1","162-1","163-1","164-1"],"ecosystem_specific":{"binaries":[{"binary_name":"cockpit","binary_version":"164-1"},{"binary_name":"cockpit-bridge","binary_version":"164-1"},{"binary_name":"cockpit-dashboard","binary_version":"164-1"},{"binary_name":"cockpit-docker","binary_version":"164-1"},{"binary_name":"cockpit-machines","binary_version":"164-1"},{"binary_name":"cockpit-networkmanager","binary_version":"164-1"},{"binary_name":"cockpit-packagekit","binary_version":"164-1"},{"binary_name":"cockpit-storaged","binary_version":"164-1"},{"binary_name":"cockpit-system","binary_version":"164-1"},{"binary_name":"cockpit-tests","binary_version":"164-1"},{"binary_name":"cockpit-ws","binary_version":"164-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-4631.json"}},{"package":{"name":"cockpit","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/cockpit?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["202.1-1","204-1","206-1","207-1","208-1","210-1","211-1","212-1","213-1","214.1-1","215-1"],"ecosystem_specific":{"binaries":[{"binary_name":"cockpit","binary_version":"215-1"},{"binary_name":"cockpit-bridge","binary_version":"215-1"},{"binary_name":"cockpit-dashboard","binary_version":"215-1"},{"binary_name":"cockpit-machines","binary_version":"215-1"},{"binary_name":"cockpit-networkmanager","binary_version":"215-1"},{"binary_name":"cockpit-packagekit","binary_version":"215-1"},{"binary_name":"cockpit-pcp","binary_version":"215-1"},{"binary_name":"cockpit-storaged","binary_version":"215-1"},{"binary_name":"cockpit-system","binary_version":"215-1"},{"binary_name":"cockpit-tests","binary_version":"215-1"},{"binary_name":"cockpit-ws","binary_version":"215-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-4631.json"}},{"package":{"name":"cockpit","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/cockpit?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["252-1","256-1","257-1","258-1","259-1","260-1","261-1","262-1","263-1","264-1","264-1ubuntu0.22.04.1"],"ecosystem_specific":{"binaries":[{"binary_name":"cockpit","binary_version":"264-1ubuntu0.22.04.1"},{"binary_name":"cockpit-bridge","binary_version":"264-1ubuntu0.22.04.1"},{"binary_name":"cockpit-networkmanager","binary_version":"264-1ubuntu0.22.04.1"},{"binary_name":"cockpit-packagekit","binary_version":"264-1ubuntu0.22.04.1"},{"binary_name":"cockpit-pcp","binary_version":"264-1ubuntu0.22.04.1"},{"binary_name":"cockpit-sosreport","binary_version":"264-1ubuntu0.22.04.1"},{"binary_name":"cockpit-storaged","binary_version":"264-1ubuntu0.22.04.1"},{"binary_name":"cockpit-system","binary_version":"264-1ubuntu0.22.04.1"},{"binary_name":"cockpit-tests","binary_version":"264-1ubuntu0.22.04.1"},{"binary_name":"cockpit-ws","binary_version":"264-1ubuntu0.22.04.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-4631.json"}},{"package":{"name":"cockpit","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/cockpit?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["300.1-1","303-1","304-1","305-1","306-1","307-1","308-1","309-1","310.1-1","311-1","312-1build2","314-1"],"ecosystem_specific":{"binaries":[{"binary_name":"cockpit","binary_version":"314-1"},{"binary_name":"cockpit-bridge","binary_version":"314-1"},{"binary_name":"cockpit-networkmanager","binary_version":"314-1"},{"binary_name":"cockpit-packagekit","binary_version":"314-1"},{"binary_name":"cockpit-pcp","binary_version":"314-1"},{"binary_name":"cockpit-sosreport","binary_version":"314-1"},{"binary_name":"cockpit-storaged","binary_version":"314-1"},{"binary_name":"cockpit-system","binary_version":"314-1"},{"binary_name":"cockpit-tests","binary_version":"314-1"},{"binary_name":"cockpit-ws","binary_version":"314-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-4631.json"}},{"package":{"name":"cockpit","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/cockpit?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["333-1","337-1","339-1","342-1","343-1","345-1","346-1"],"ecosystem_specific":{"binaries":[{"binary_name":"cockpit","binary_version":"346-1"},{"binary_name":"cockpit-bridge","binary_version":"346-1"},{"binary_name":"cockpit-networkmanager","binary_version":"346-1"},{"binary_name":"cockpit-packagekit","binary_version":"346-1"},{"binary_name":"cockpit-sosreport","binary_version":"346-1"},{"binary_name":"cockpit-storaged","binary_version":"346-1"},{"binary_name":"cockpit-system","binary_version":"346-1"},{"binary_name":"cockpit-ws","binary_version":"346-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-4631.json"}},{"package":{"name":"cockpit","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/cockpit?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["346-1","348-1","350-1","352-1","353.1-1","354-1","355-1","356-1","360-1"],"ecosystem_specific":{"binaries":[{"binary_name":"cockpit","binary_version":"360-1"},{"binary_name":"cockpit-bridge","binary_version":"360-1"},{"binary_name":"cockpit-networkmanager","binary_version":"360-1"},{"binary_name":"cockpit-packagekit","binary_version":"360-1"},{"binary_name":"cockpit-sosreport","binary_version":"360-1"},{"binary_name":"cockpit-storaged","binary_version":"360-1"},{"binary_name":"cockpit-system","binary_version":"360-1"},{"binary_name":"cockpit-ws","binary_version":"360-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-4631.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}