Home

Description

A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.

PUBLISHED Reserved 2026-03-25 | Published 2026-05-11 | Updated 2026-05-11 | Assigner redhat




HIGH: 8.0CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-03-25:Reported to Red Hat.
2026-05-11:Made public.

Credits

Red Hat would like to thank Gabriel Rodrigues (HAKAI) for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-4802 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2451155 (RHBZ#2451155) issue-tracking

github.com/...pit/blob/e204cd130/pkg/systemd/logsJournal.jsx

cve.org (CVE-2026-4802)

nvd.nist.gov (CVE-2026-4802)

Download JSON