Path Traversal Vulnerability in Cockpit CMS File Storage API
CVE-2026-57856
8.7HIGH
What is CVE-2026-57856?
Cockpit CMS is impacted by a path traversal vulnerability in the Bucket file storage API. The vulnerability arises from insufficient input sanitization in the api() method of the module responsible for bucket management. Specifically, the method strips certain characters but fails to adequately restrict sequences like '../', allowing an authenticated low-privileged user to craft requests that exploit this weakness. As a result, such users can potentially list, upload, and delete files within any bucket on the system, including those that do not belong to them. This could lead to exposure or loss of sensitive data, making timely updates and patches critical for all users.
Affected Version(s)
Cockpit CMS 0
