Remote Code Execution Vulnerability in Cockpit Web Service by Red Hat
CVE-2026-4631

9.8CRITICAL

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 10.0 Extended Update Support
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9.6 Extended Update Support
Vendor
CVE Published:
7 April 2026

Badges

📈 Score: 578👾 Exploit Exists🟡 Public PoC

What is CVE-2026-4631?

CVE-2026-4631 is a critical remote code execution vulnerability found in the Cockpit web service developed by Red Hat. Cockpit serves as a user-friendly interface for managing servers, allowing users to perform administrative tasks through a web browser. The vulnerability arises from the way Cockpit handles user-supplied hostnames and usernames when establishing remote login sessions via SSH. Specifically, the system fails to properly validate or sanitize these inputs, creating a significant security risk. An attacker with network access to the Cockpit web service could exploit this weakness by crafting a malicious HTTP request aimed at the login endpoint, allowing them to inject harmful SSH options or shell commands. This exploit can occur during the authentication flow, meaning that no valid credentials are required to execute arbitrary code on the Cockpit host, potentially compromising the integrity and confidentiality of the organization's systems.

Potential impact of CVE-2026-4631

  1. Unauthorized Remote Code Execution: The most critical impact of CVE-2026-4631 is the ability for an attacker to execute arbitrary code on the affected system without needing valid authentication. This could allow them to take full control of the server, modify configurations, or install additional malware.

  2. Data Breaches and Integrity Issues: Exploitation of the vulnerability can lead not only to unauthorized access but also to potential data breaches. Compromised systems may expose sensitive information, including user data and organizational assets, leading to significant legal and reputational repercussions.

  3. Network Penetration and Lateral Movement: Given that the vulnerability allows code execution on the Cockpit host, attackers could leverage this access to further penetrate the internal network. They may move laterally to discover and compromise additional systems, expanding their control beyond the initially affected server.

Affected Version(s)

Red Hat Enterprise Linux 10 0:344-3.el10_1

Red Hat Enterprise Linux 10.0 Extended Update Support 0:334.1-3.el10_0

Red Hat Enterprise Linux 9 0:344-2.el9_7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-4631-cockpit-RCE
Created by cyberheartmi9

References

https://access.redhat.com/errata/RHSA-2026:7381
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:7382
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:7383
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Florian Kohnhäuser for reporting this issue.
.