Path Traversal Vulnerability in Cockpit CMS File Storage API
CVE-2026-57856

8.7HIGH

Key Information:

Vendor

Cockpit Hq

Vendor
CVE Published:
13 July 2026

What is CVE-2026-57856?

Cockpit CMS is impacted by a path traversal vulnerability in the Bucket file storage API. The vulnerability arises from insufficient input sanitization in the api() method of the module responsible for bucket management. Specifically, the method strips certain characters but fails to adequately restrict sequences like '../', allowing an authenticated low-privileged user to craft requests that exploit this weakness. As a result, such users can potentially list, upload, and delete files within any bucket on the system, including those that do not belong to them. This could lead to exposure or loss of sensitive data, making timely updates and patches critical for all users.

Affected Version(s)

Cockpit CMS 0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Saidakbarxon Maxsudxonov
.