CVE-2026-57855 PUBLISHED

Cockpit CMS Missing Authorization in Bucket File Storage API

Assigner: VulnCheck
Reserved: 25.06.2026 Published: 13.07.2026 Updated: 14.07.2026

Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfolder) without performing any ACL or role check. Any authenticated user, regardless of role, can perform all bucket operations on any named bucket, including buckets intended for admin use only.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Cockpit HQ
Product Cockpit CMS
Versions Default: affected
  • affected from 0 to 2.14.0 (excl.)

Credits

  • Saidakbarxon Maxsudxonov finder

References

Problem Types

  • Improper Access Control CWE