Home / Vulnerability Intelligence / CVE-2026-4631

CVE-2026-4631 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 7, 2026

Cockpit - Command Injection

Published: April 7, 2026Updated: April 7, 2026Remote Exploitable

Overview

Cockpit contains a command injection caused by unsanitized user-supplied hostnames and usernames passed to the SSH client in the remote login feature, letting attackers with network access execute code without credentials, exploit requires network access to the web service.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can execute arbitrary code on the Cockpit host without valid credentials, leading to full system compromise.

Mitigation

Update to the latest version with input validation and sanitization for SSH parameters.

References

https://access.redhat.com/security/cve/CVE-2026-4631
https://bugzilla.redhat.com/show_bug.cgi?id=2450246

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-4631
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: new

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H