Cockpit CVE-2026-4802: Remote Command Execution via Unsanitized Logs
The National Vulnerability Database (NVD) has detailed CVE-2026-4802, a critical vulnerability in Cockpit, the web-based server manager. This flaw allows a remote attacker to achieve arbitrary command execution on the host system. The vector is unsanitized user-controlled parameters within crafted links displayed in the system logs user interface (UI).
Attackers can inject shell metacharacters and command substitutions into these parameters. This bypasses expected input validation, leading directly to the execution of arbitrary shell commands. The NVD assigns a CVSSv3.1 score of 8.0 (HIGH), indicating a significant risk of complete system compromise once exploited. While no specific affected products were listed, any organization utilizing Cockpit for server management should consider this a serious threat.
This vulnerability, categorized as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), underscores the perennial danger of inadequate input sanitization. For defenders, this isn’t just a theoretical bug; it’s a direct path to root. The attacker’s calculus is simple: find a way to get a malicious string into a log, wait for an administrator to view it through Cockpit, and gain immediate control.
What This Means For You
- If your organization uses Cockpit, you need to be patching for CVE-2026-4802 immediately. Audit your system logs for any suspicious or malformed entries that could indicate an attacker attempting to stage this exploit. Focus on securing the input paths that feed into Cockpit's log display.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Cockpit CVE-2026-4802: Command Injection via Log UI Parameters
title: Cockpit CVE-2026-4802: Command Injection via Log UI Parameters
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-4802 by identifying requests to the Cockpit system logs UI ('/system/logs') that contain shell metacharacters or command substitution patterns within the URI query parameters. This indicates an attempt to inject and execute arbitrary commands.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-4802/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
uri|contains:
- '/system/logs'
cs-uri-query|contains:
- ';;'
- '|'
- '`'
- '$()'
cs-method:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-4802 | RCE | Cockpit |
| CVE-2026-4802 | Command Injection | unsanitized user-controlled parameters within crafted links in the system logs user interface (UI) |
| CVE-2026-4802 | Command Injection | injection of shell metacharacters and command substitutions |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 17:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8290 — Open5GS Denial of Service
CVE-2026-8290 — A security flaw has been discovered in Open5GS up to 2.7.7. This issue affects the function smf_nsmf_handle_update_data_in_vsmf of the file /src/smf/nsmf-handler.c of the...
CVE-2026-8289 — Open5GS Denial of Service
CVE-2026-8289 — A vulnerability was identified in Open5GS up to 2.7.7. This vulnerability affects the function smf_nsmf_handle_update_data_in_vsmf of the file /src/smf/nsmf-handler.c of the component SMF....
CVE-2026-8288 — The Function Gsm_handle_pdu_session_modification_qos_flow_de Denial of Service
CVE-2026-8288 — A vulnerability was determined in Open5GS up to 2.7.7. This affects the function gsm_handle_pdu_session_modification_qos_flow_descriptions of the file src/smf/gsm-handler.c of the component SMF. Executing...