CVE-2026-4802 PUBLISHED

Cockpit: cockpit: arbitrary command execution via crafted links in system logs ui

Assigner: redhat
Reserved: 25.03.2026 Published: 11.05.2026 Updated: 12.05.2026

A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 7
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9
Versions	Default: affected

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Operational risk reduction until fixes are available: restrict access to Cockpit to trusted networks/users only, and avoid opening untrusted crafted Cockpit URLs

Credits

Red Hat would like to thank Gabriel Rodrigues (HAKAI) for reporting this issue.

References

Problem Types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE