The vulnerability CVE-2026-4631 affects the Cockpit remote login feature in Red Hat Enterprise Linux 9.6 and 10. It stems from improper neutralization of special elements used in OS command execution, specifically in the way Cockpit passes user-supplied hostnames and usernames from its web interface to the SSH client without adequate validation or sanitization. An attacker with network access can craft a specially crafted HTTP request to the login endpoint, injecting malicious SSH command-line arguments or shell commands. This leads to unauthenticated remote code execution on the host running Cockpit, as the injection happens before any authentication checks. The CVSS v3.1 base score is 9.8, reflecting critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Red Hat has issued official security advisories (RHSA-2026:7381 and RHSA-2026:7382) providing updated cockpit packages that fix this issue.

Successful exploitation of this vulnerability allows an unauthenticated attacker with network access to the Cockpit web service to execute arbitrary code on the affected host. This can lead to full compromise of the system, including unauthorized access, data manipulation, and disruption of service. The vulnerability is critical due to the lack of authentication requirement and the ability to execute commands remotely.

Red Hat has released official security updates for the cockpit package in Red Hat Enterprise Linux 9.6 and 10 to address CVE-2026-4631. Users should apply these updates promptly. Before applying the update, ensure all previously released errata relevant to the system have been applied. Detailed update instructions are available at https://access.redhat.com/articles/11258. No alternative mitigations or workarounds are indicated in the vendor advisory. Applying the official patch fully mitigates the vulnerability.