Zero Day MonitorZDM

← Back to list

9.8

CVE-2026-4631EXPLOITEDPATCHED

red hat · red hat enterprise linux

Cockpit: cockpit: unauthenticated remote code execution due to ssh command-line argument injection

Description

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

Affected Products

Vendor	Product	Versions
red hat	red hat enterprise linux	—

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
red hat	enterprise linux	cert_advisory	90%

References

https://access.redhat.com/errata/RHSA-2026:7381(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:7382(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:7383(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:7384(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/security/cve/CVE-2026-4631(vdb-entry, x_refsource_REDHAT)
https://bugzilla.redhat.com/show_bug.cgi?id=2450246(issue-tracking, x_refsource_REDHAT)

Related News (3 articles)

Tier B

BSI Advisories5h ago

[NEU] [hoch] Red Hat Enterprise Linux (Cockpit): Schwachstelle ermöglicht Codeausführung

→ No new info (linked only)

Tier C

oss-security3d ago

CVE-2026-4631 [cockpit] Unauthenticated remote code execution due to SSH command-line argument injection

→ No new info (linked only)

Tier C

VulDB5d ago

CVE-2026-4631 | Cockpit Remote Login os command injection

→ No new info (linked only)

CVSS 3.19.8 HIGH

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

0:334.1-3.el10_00:344-2.el9_70:334.2-2.el9_6

CWECWE-78

PublishedApr 7, 2026

Last enriched4h agov3

Trending Score66

Source articles3

Independent3

Info Completeness9/14

Missing: versions, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Multiple vulnerabilities in Red Hat Enterprise Linux affecting tar and Scrapy components

NONECVE-2026-5483

Odh-dashboard: odh dashboard kubernetes service account exposure

Multiple vulnerabilities in Red Hat Enterprise Linux fontforge allow arbitrary code execution

HIGHCVE-2026-4634EXP

Keycloak: keycloak: denial of service via excessive processing of openid connect scope parameters

HIGHCVE-2026-4636EXP

Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 7, 2026

Discovered by ZDM

Apr 7, 2026

Updated: description

Apr 7, 2026

Actively Exploited

Apr 10, 2026

Exploit Available

Apr 10, 2026

Patch Available

Apr 10, 2026

Updated: severity, exploitAvailable, activelyExploited

Apr 13, 2026

Version History

v3

Last enriched 4h ago

v3Tier B4h ago

Updated severity to HIGH and marked the vulnerability as actively exploited with an exploit available.

severityexploitAvailableactivelyExploited

via BSI Advisories

v2Tier C5d ago

Updated description with new details and confirmed no exploit is available.

description

via VulDB

v15d ago

Initial creation