Missing Authorization Vulnerability in Cockpit CMS Bucket File Storage API
CVE-2026-57855

8.7HIGH

Key Information:

Vendor

Cockpit Hq

Vendor
CVE Published:
13 July 2026

What is CVE-2026-57855?

Cockpit CMS features a vulnerability in its Bucket file storage API that permits any authenticated user to execute potentially hazardous commands on buckets without proper authorization checks. This flaw means that users can engage in operations such as listing, uploading, removing files, renaming, and creating folders within any bucket, even those designated for administrative purposes. Due to the lack of Access Control List (ACL) verification or role enforcement, it poses a significant risk to the integrity and confidentiality of sensitive data managed by Cockpit CMS.

Affected Version(s)

Cockpit CMS 0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Saidakbarxon Maxsudxonov
.