Command Injection Vulnerability in openITCOCKPIT Monitoring Tool
CVE-2026-24893

8.8HIGH

Key Information:

Vendor

Openitcockpit

Status
Openitcockpit
Vendor
CVE Published:
14 April 2026

What is CVE-2026-24893?

The openITCOCKPIT Community Edition, an open-source monitoring solution, is vulnerable due to a command injection flaw that affects authenticated users with the ability to add or modify hosts. By exploiting this vulnerability, attackers can execute arbitrary operating system commands on the monitoring backend. The flaw exists because user-defined host attributes, specifically the host address, are incorporated into monitoring command templates without adequate validation, escaping, or quoting. As a result, when these templates are executed through the monitoring engine (Nagios/Icinga), it leads to potential remote code execution. This issue has been addressed in version 5.5.2.

Affected Version(s)

openITCOCKPIT < 5.5.2

References

https://github.com/openITCOCKPIT/openITCOCKPIT/security/a...
x_refsource_CONFIRM
https://github.com/openITCOCKPIT/openITCOCKPIT/releases/t...
x_refsource_MISC
https://openitcockpit.io/blog/posts/2026/2026-04-14-openi...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.