Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-4631 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-4631 | CVSS 9.8 (Critical) | Exploit: PoC available

What Is It

CVE-2026-4631 is a pre-authentication remote code execution vulnerability in Cockpit, the Linux web-based server management interface, caused by unsanitized user input being passed directly to the SSH client during the remote login authentication flow.

Technical Detail

Cockpit's remote login feature accepts hostnames and usernames from the web interface and passes them to the underlying SSH client without validation or sanitization, allowing an attacker to inject arbitrary SSH options or shell commands via a crafted HTTP request to the login endpoint. The injection is triggered before any credential verification occurs, meaning no valid account is required to reach the vulnerable code path. Successful exploitation results in unauthenticated remote code execution on the host running the Cockpit service, with the process privileges of the Cockpit daemon.

Exploitation Status

A proof-of-concept exploit is publicly available. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog as of May 22, 2026, and active in-the-wild exploitation has not been confirmed. However, the low exploitation complexity combined with a public PoC significantly elevates the risk of opportunistic exploitation in the near term.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability. Given that Cockpit is widely deployed in Linux server environments, including cloud and enterprise infrastructure, opportunistic scanning and exploitation by financially motivated actors is a plausible near-term concern once the PoC circulates further.

What To Do

Apply the latest available Cockpit patch immediately given the critical CVSS score of 9.8 and the pre-authentication nature of the flaw. If patching cannot be completed immediately, restrict network access to the Cockpit web service port (typically TCP 9090) using host-based or network firewall rules, limiting exposure to trusted management networks only. Disabling the remote login feature in Cockpit configuration is an effective workaround if that functionality is not operationally required. Detection efforts should focus on anomalous SSH process spawning from the Cockpit service process, unexpected outbound connections initiated by the Cockpit daemon, and HTTP POST requests to the Cockpit login endpoint containing characters commonly used in SSH option injection such as hyphens preceding option flags or shell metacharacters in the hostname or username fields.