openITCOCKPIT Command Injection: RCE for Authenticated Users

The National Vulnerability Database (NVD) has detailed CVE-2026-24893, a critical command injection vulnerability impacting openITCOCKPIT Community Edition versions prior to 5.5.2. This flaw allows an authenticated user, provided they have permissions to add or modify hosts, to execute arbitrary operating system commands on the monitoring backend. This is a significant security hole, rated with a CVSS score of 8.8 (HIGH), indicating a substantial risk.

The root cause, as outlined by the NVD, lies in how user-controlled host attributes – specifically the host address – are handled. These attributes are expanded into monitoring command templates without proper validation, escaping, or quoting. When these templates are subsequently executed by the underlying monitoring engine, such as Nagios or Icinga, via a shell, it directly leads to remote code execution (RCE). Essentially, an attacker can trick the system into running malicious commands by crafting a specially formed host address.

This is a classic case of improper input validation (CWE-20) leading directly to OS command injection (CWE-78). The fix, available in openITCOCKPIT Community Edition version 5.5.2, addresses this critical oversight, ensuring that user inputs are properly sanitized before being passed to system commands. For any organization running openITCOCKPIT, patching is not just recommended, it’s absolutely essential to prevent potential compromise.