CVE-2026-4802 Overview
CVE-2026-4802 is a command injection vulnerability in Cockpit, the web-based server administration interface commonly deployed on Red Hat Enterprise Linux and other distributions. The flaw resides in the system logs user interface, where unsanitized user-controlled parameters are embedded into crafted links. An authenticated remote attacker can inject shell metacharacters and command substitutions through these parameters, triggering arbitrary command execution on the host. Successful exploitation results in complete system compromise under the privileges of the targeted user session. The weakness is classified under CWE-78, Improper Neutralization of Special Elements used in an OS Command.
Critical Impact
Authenticated attackers can execute arbitrary shell commands on hosts running vulnerable Cockpit installations, leading to full host compromise.
Affected Products
- Cockpit project (cockpit-project/cockpit)
- Red Hat Enterprise Linux distributions shipping the affected Cockpit package
- Linux systems running Cockpit systemd logs module containing the vulnerable logsJournal.jsx code path
Discovery Timeline
- 2026-05-11 - CVE-2026-4802 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-4802
Vulnerability Analysis
The vulnerability is a command injection flaw [CWE-78] in the Cockpit system logs interface. The affected code path lives in pkg/systemd/logsJournal.jsx, where URL parameters from the logs UI are passed into shell command construction without proper sanitization. Attackers craft links containing shell metacharacters such as backticks, semicolons, pipes, and $() command substitution syntax. When a privileged Cockpit user opens the crafted link, the embedded payload is concatenated into a shell command and executed by the backend service. Because Cockpit operates with elevated privileges to manage system services, the executed commands inherit those privileges, enabling complete host takeover.
Root Cause
The root cause is missing input neutralization on user-controlled query parameters consumed by the logs journal component. The application trusts client-supplied values when constructing commands rather than escaping or rejecting shell metacharacters. Reference the affected code region in the GitHub Cockpit Code Reference.
Attack Vector
Exploitation requires network access to the Cockpit web interface, low-privilege authentication, and user interaction by an administrator who clicks a crafted link. The attacker delivers the malicious URL through phishing, chat, or any channel that lures a Cockpit operator into loading it. Once visited, the injected shell payload runs on the managed host. Refer to the Red Hat CVE-2026-4802 Advisory and the Red Hat Bug Report #2451155 for vendor details.
Detection Methods for CVE-2026-4802
Indicators of Compromise
- Cockpit access logs containing URL parameters with shell metacharacters such as ;, |, `, $(, or && in journal-related endpoints.
- Unexpected child processes spawned by cockpit-bridge or cockpit-ws, including shells, network utilities, or package managers.
- Outbound network connections initiated by Cockpit service accounts to unfamiliar destinations.
- New cron jobs, systemd units, or SSH authorized keys created shortly after a Cockpit logs UI session.
Detection Strategies
- Inspect Cockpit web server access logs for requests to the systemd logs view containing encoded shell characters or $() substitution patterns.
- Apply process-lineage detections that alert when cockpit-bridge spawns interactive shells or scripting interpreters.
- Correlate authenticated Cockpit sessions with subsequent privileged command execution on the same host.
Monitoring Recommendations
- Forward Cockpit journald entries and audit logs to a central SIEM and alert on anomalous parent-child process relationships.
- Monitor file integrity on /etc/systemd/system/, /etc/cron.d/, and user authorized_keys for changes following Cockpit activity.
- Track HTTP request patterns to the Cockpit endpoint and flag parameter values that fail allow-list validation.
How to Mitigate CVE-2026-4802
Immediate Actions Required
- Apply vendor-supplied Cockpit security updates as soon as packages are available from your distribution.
- Restrict network exposure of the Cockpit service to trusted management networks or VPNs only.
- Limit Cockpit accounts to operators who require host administration and enforce multi-factor authentication on those accounts.
- Train administrators to avoid clicking unsolicited Cockpit links from external sources.
Patch Information
Red Hat tracks the fix through the Red Hat CVE-2026-4802 Advisory and the upstream change in the cockpit-project/cockpit repository. Upgrade the cockpit package to the vendor-patched release for your distribution. Reboot or restart cockpit.socket and cockpit.service after patching to ensure the updated code is active.
Workarounds
- Disable the Cockpit service with systemctl disable --now cockpit.socket on hosts where the interface is not required until patches are applied.
- Place Cockpit behind a reverse proxy that enforces strict URL parameter validation and blocks shell metacharacters.
- Restrict access to TCP port 9090 using host firewall rules to permit only administrative source addresses.
# Example: disable Cockpit and restrict access until patched
sudo systemctl disable --now cockpit.socket cockpit.service
sudo firewall-cmd --permanent --remove-service=cockpit
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/24" port port=9090 protocol=tcp accept'
sudo firewall-cmd --reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
