CVE-2026-34965 Overview
CVE-2026-34965 is an authenticated remote code execution vulnerability in Cockpit CMS. The flaw resides in the /cockpit/collections/save_collection endpoint and is tracked under CWE-94: Improper Control of Generation of Code. Authenticated attackers with collection management privileges can inject arbitrary PHP code through collection rules parameters. The injected code is written directly to server-side PHP files and executed via include(), granting attackers arbitrary command execution on the underlying server.
Critical Impact
Attackers with low-privileged authenticated access can achieve full remote code execution on the host, leading to complete compromise of confidentiality, integrity, and availability of the Cockpit CMS server.
Affected Products
- Cockpit CMS (agentejo/cockpit)
- Installations exposing the /cockpit/collections/save_collection endpoint
- Deployments granting collection management privileges to non-administrative users
Discovery Timeline
- 2026-04-29 - CVE-2026-34965 published to the National Vulnerability Database
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-34965
Vulnerability Analysis
The vulnerability stems from unsafe handling of user-supplied input in collection rule parameters. Cockpit CMS persists collection rule definitions to disk as PHP source files. When the application later loads a collection, it processes these files using include(), which causes the PHP runtime to evaluate any code contained within. Because the save_collection handler does not sanitize, validate, or encode rule parameters before writing them to the rules PHP file, an attacker can embed arbitrary PHP syntax that the interpreter executes on the next include.
Exploitation requires an authenticated session with collection management privileges. The attack vector is network-based and exhibits low complexity, requiring no user interaction. A successful exploit yields PHP code execution under the web server account, enabling command execution, file system access, credential theft, and lateral movement.
Root Cause
The root cause is improper neutralization of directives in dynamically generated code (CWE-94). Rule parameters submitted to /cockpit/collections/save_collection are concatenated into a PHP file template and persisted to disk without escaping. The application implicitly trusts that authenticated collection editors will only submit benign rule expressions, breaking the boundary between data and code.
Attack Vector
An attacker first obtains valid Cockpit CMS credentials with permissions to create or modify collections. The attacker then issues a POST request to /cockpit/collections/save_collection, embedding crafted PHP payloads inside the collection's rules property. Cockpit writes the malicious content into the collection's rules PHP file. The injected payload executes when the application includes the file during normal collection access, returning command output or establishing a reverse shell.
For technical reproduction details, see the VulnCheck Advisory: Cockpit CMS RCE and the public proof-of-concept gist.
Detection Methods for CVE-2026-34965
Indicators of Compromise
- POST requests to /cockpit/collections/save_collection containing PHP tokens such as <?php, system(, exec(, passthru(, or base64_decode( in rule parameters.
- Recently modified PHP files under Cockpit's collection storage directory containing shell command primitives or obfuscated payloads.
- Web server processes (php-fpm, apache, nginx workers) spawning child processes such as sh, bash, nc, curl, or wget.
- Outbound network connections initiated by the PHP runtime to unexpected hosts immediately after collection save operations.
Detection Strategies
- Inspect HTTP request bodies sent to the save_collection endpoint and alert on PHP language constructs in rule fields.
- Apply file integrity monitoring to Cockpit's collections directory and flag PHP files written by the web application user outside expected change windows.
- Correlate authentication events for collection editor accounts with subsequent process execution telemetry from the web host.
Monitoring Recommendations
- Forward web server access logs and PHP error logs to a centralized analytics platform for sustained query and retention.
- Monitor parent-child process relationships on Cockpit hosts, focusing on web server processes spawning shells or network utilities.
- Track creation of new collections and changes to existing collection rules, especially from accounts that rarely perform such actions.
How to Mitigate CVE-2026-34965
Immediate Actions Required
- Restrict access to the Cockpit administrative interface using network controls or VPN until a patched build is deployed.
- Audit all Cockpit user accounts and revoke collection management privileges from users who do not require them.
- Review the collections storage directory for unexpected PHP files or unauthorized modifications to existing rule files.
- Rotate credentials, API tokens, and session secrets stored on or accessible from the Cockpit host if compromise is suspected.
Patch Information
Monitor the upstream Cockpit repository and its commit history for security fixes addressing the save_collection rule injection. Apply vendor-released patches as soon as they are validated in a staging environment. Refer to the VulnCheck advisory for the current remediation status.
Workarounds
- Place Cockpit CMS behind a web application firewall and block requests to /cockpit/collections/save_collection containing PHP tags or dangerous function names.
- Configure the PHP runtime to disable high-risk functions such as system, exec, shell_exec, and passthru using the disable_functions directive in php.ini.
- Run the Cockpit web server process under a least-privileged account with no shell and restricted file system permissions on the application directory.
# Configuration example: harden PHP runtime and restrict the vulnerable endpoint
# /etc/php/php.ini
disable_functions = exec,passthru,shell_exec,system,proc_open,popen
# nginx: block PHP payloads in save_collection requests
location = /cockpit/collections/save_collection {
if ($request_body ~* "(<\?php|base64_decode|shell_exec|system\()") {
return 403;
}
proxy_pass http://cockpit_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
