CVE-2026-31891 Overview
CVE-2026-31891 is a SQL Injection vulnerability affecting Cockpit CMS, a headless content management system. The vulnerability exists in the MongoLite Aggregation Optimizer component, specifically within the toJsonExtractRaw() method in lib/MongoLite/Aggregation/Optimizer.php. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by this security flaw.
The vulnerability allows attackers to inject arbitrary SQL via unsanitized field names in aggregation queries. Notably, exploitation requires only a valid read-only API key (the lowest privilege level) — no admin access is required. This makes the attack surface particularly concerning for deployments where the /api/content/aggregate/{model} endpoint is publicly accessible or reachable by untrusted users.
Critical Impact
Attackers can bypass the _state=1 published-content filter to access unpublished or restricted content and extract unauthorized data from the underlying SQLite content database.
Affected Products
- Cockpit CMS version 2.13.4 and earlier
- Deployments with publicly accessible /api/content/aggregate/{model} endpoint
- Instances where untrusted users have access to read-only API keys
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-31891 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-31891
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) stems from improper input sanitization in the MongoLite Aggregation Optimizer. The attack requires network access with low privileges (a read-only API key), making it accessible to a wide range of potential attackers. The vulnerability has a changed scope, meaning successful exploitation can affect resources beyond the vulnerable component itself, specifically allowing unauthorized access to content stored in the SQLite database.
The core issue is that field names passed to aggregation queries are not properly sanitized before being used in SQL operations. While version 2.13.3 introduced field-name sanitization for the toJsonPath() method, the toJsonExtractRaw() method in the same file was left vulnerable, creating an injection vector that attackers could exploit.
Root Cause
The root cause of CVE-2026-31891 is insufficient input validation in the toJsonExtractRaw() method within lib/MongoLite/Aggregation/Optimizer.php. When processing aggregation queries, field names provided by users are directly incorporated into SQL statements without proper sanitization or parameterization. This allows attackers to craft malicious field names containing SQL syntax that gets executed against the underlying SQLite database.
The fix introduced in version 2.13.5 applies the same field-name sanitization that was implemented in version 2.13.3 for toJsonPath() to the toJsonExtractRaw() method, ensuring consistent protection against SQL injection across both methods.
Attack Vector
The attack is conducted over the network by sending specially crafted aggregation queries to the /api/content/aggregate/{model} API endpoint. An attacker in possession of even a read-only API key can exploit this vulnerability by including malicious SQL fragments within field names in aggregation requests.
The injection allows attackers to:
- Bypass content state filters (e.g., _state=1) designed to restrict access to published content only
- Access unpublished, draft, or otherwise restricted content entries
- Extract sensitive data from the SQLite content database
The vulnerability mechanism involves unsanitized field names being passed through the toJsonExtractRaw() method, which constructs SQL queries using these field names without proper escaping. For technical details and proof-of-concept information, refer to the GitHub Security Advisory GHSA-7x5c-vfhj-9628.
Detection Methods for CVE-2026-31891
Indicators of Compromise
- Unusual or malformed requests to the /api/content/aggregate/{model} endpoint containing SQL syntax in field names
- API access logs showing aggregation queries with special characters like single quotes, semicolons, or SQL keywords
- Unexpected access to unpublished content or content states that should be filtered
- Database query logs showing injected SQL statements within JSON extraction operations
Detection Strategies
- Monitor API logs for requests to aggregation endpoints containing suspicious characters or SQL keywords in field name parameters
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in API request bodies
- Review access logs for read-only API key usage patterns that indicate data enumeration or extraction attempts
- Deploy runtime application self-protection (RASP) solutions to detect SQL injection attempts at the application layer
Monitoring Recommendations
- Enable detailed logging for all API requests to content aggregation endpoints
- Set up alerts for failed or anomalous aggregation queries that may indicate exploitation attempts
- Monitor for unusual data access patterns, particularly access to unpublished or draft content
- Implement rate limiting on aggregation endpoints to slow down potential data extraction attacks
- Review API key usage and audit which keys have access to aggregation functionality
How to Mitigate CVE-2026-31891
Immediate Actions Required
- Upgrade Cockpit CMS to version 2.13.5 or later immediately
- Audit API keys and revoke any that are no longer needed or may have been compromised
- Review access logs for the /api/content/aggregate/{model} endpoint for signs of exploitation
- Temporarily restrict access to aggregation endpoints if immediate patching is not possible
- Verify that no unauthorized data was accessed by reviewing content access patterns
Patch Information
The vulnerability has been patched in Cockpit CMS version 2.13.5. The fix applies field-name sanitization to the toJsonExtractRaw() method in lib/MongoLite/Aggregation/Optimizer.php, matching the sanitization introduced in version 2.13.3 for toJsonPath(). This closes the injection vector in the Aggregation Optimizer.
For detailed patch information, see the GitHub Release 2.13.5 and the GitHub Security Advisory GHSA-7x5c-vfhj-9628.
Workarounds
- Disable public access to the /api/content/aggregate/{model} endpoint until patching is complete
- Implement a reverse proxy or WAF rule to block requests containing SQL injection patterns in aggregation query parameters
- Restrict API key distribution and revoke keys from untrusted users
- Apply network-level access controls to limit who can reach the aggregation API endpoints
# Example: Restrict access to aggregation endpoint via nginx
location /api/content/aggregate/ {
# Allow only trusted IP ranges
allow 10.0.0.0/8;
allow 192.168.1.0/24;
deny all;
# Proxy to Cockpit CMS backend
proxy_pass http://cockpit_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
