CVE-2026-31891
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
Description
### Impact This is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any Cockpit CMS instance running version **2.13.4 or earlier** with API access enabled is potentially affected. **Who is impacted:** - Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly accessible or reachable by untrusted users. - Attackers in possession of a **valid read-only API key** (the lowest privilege level) can exploit this vulnerability — no admin access is required. **What an attacker can do:** - Inject arbitrary SQL via unsanitized field names in aggregation queries. - Bypass the `_state=1` published-content filter to access unpublished or restricted content. - Extract unauthorized data from the underlying SQLite content database. **Confidentiality impact is High.** Integrity and availability are not directly affected by this vulnerability. ### Patches This vulnerability has been **patched in version 2.13.5**. All users running Cockpit CMS version **2.13.4 or earlier** are strongly advised to upgrade to **2.13.5 or later** immediately. - https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5 The fix applies the same field-name sanitization introduced in v2.13.3 for `toJsonPath()` to the `toJsonExtractRaw()` method in `lib/MongoLite/Aggregation/Optimizer.php`, closing the injection vector in the Aggregation Optimizer.
How to fix CVE-2026-31891
To remediate CVE-2026-31891, upgrade the affected package to a fixed version below.
- —upgrade to 2.13.5 or later
Is CVE-2026-31891 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.13.5