CVE-2026-4631

Description

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

How to fix CVE-2026-4631

To remediate CVE-2026-4631, upgrade the affected package to a fixed version below.

—upgrade to 337-1+deb13u1 or later

Is CVE-2026-4631 being exploited?

Moderate — EPSS is 26.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 337-1+deb13u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-4631