CVE-2026-4631: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Red Hat Red Hat Enterprise Linux 10
CVE-2026-4631 is a critical OS command injection vulnerability in the Cockpit remote login feature of Red Hat Enterprise Linux 10. The vulnerability arises because user-supplied hostnames and usernames from the web interface are passed to the SSH client without proper validation or sanitization. An attacker with network access to the Cockpit web service can exploit this by sending a crafted HTTP request to the login endpoint, injecting malicious SSH options or shell commands. This injection occurs before any credential verification, allowing code execution on the Cockpit host without valid credentials. The vulnerability has a CVSS score of 9. 8, indicating high severity. No official patch or remediation level is currently confirmed in the vendor advisory. The vendor advisory link is provided for ongoing updates.
AI Analysis
Technical Summary
The vulnerability CVE-2026-4631 affects Red Hat Enterprise Linux 10's Cockpit remote login feature. It allows an unauthenticated attacker with network access to the Cockpit web service to perform OS command injection by sending specially crafted HTTP requests to the login endpoint. This happens because the application forwards user-supplied hostnames and usernames directly to the SSH client without sanitization, enabling injection of malicious SSH options or shell commands. Exploitation leads to code execution on the host system before any authentication occurs. The CVSS v3.1 base score is 9.8 (critical), reflecting network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. The vendor advisory does not currently specify a remediation level or patch availability.
Potential Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the Cockpit host system without any authentication. This compromises the confidentiality, integrity, and availability of the affected system. Given the pre-authentication nature and the ability to run commands on the host, the impact is critical.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-4631 for current remediation guidance. Until an official fix is released, restrict network access to the Cockpit web service to trusted users only and monitor for suspicious activity targeting the login endpoint. Avoid exposing the Cockpit interface to untrusted networks.
CVE-2026-4631: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Red Hat Red Hat Enterprise Linux 10
Description
CVE-2026-4631 is a critical OS command injection vulnerability in the Cockpit remote login feature of Red Hat Enterprise Linux 10. The vulnerability arises because user-supplied hostnames and usernames from the web interface are passed to the SSH client without proper validation or sanitization. An attacker with network access to the Cockpit web service can exploit this by sending a crafted HTTP request to the login endpoint, injecting malicious SSH options or shell commands. This injection occurs before any credential verification, allowing code execution on the Cockpit host without valid credentials. The vulnerability has a CVSS score of 9. 8, indicating high severity. No official patch or remediation level is currently confirmed in the vendor advisory. The vendor advisory link is provided for ongoing updates.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-4631 affects Red Hat Enterprise Linux 10's Cockpit remote login feature. It allows an unauthenticated attacker with network access to the Cockpit web service to perform OS command injection by sending specially crafted HTTP requests to the login endpoint. This happens because the application forwards user-supplied hostnames and usernames directly to the SSH client without sanitization, enabling injection of malicious SSH options or shell commands. Exploitation leads to code execution on the host system before any authentication occurs. The CVSS v3.1 base score is 9.8 (critical), reflecting network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. The vendor advisory does not currently specify a remediation level or patch availability.
Potential Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the Cockpit host system without any authentication. This compromises the confidentiality, integrity, and availability of the affected system. Given the pre-authentication nature and the ability to run commands on the host, the impact is critical.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-4631 for current remediation guidance. Until an official fix is released, restrict network access to the Cockpit web service to trusted users only and monitor for suspicious activity targeting the login endpoint. Avoid exposing the Cockpit interface to untrusted networks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-03-23T08:25:21.305Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-4631","vendor":"Red Hat"}]
Threat ID: 69d534e5aaed68159a357dd4
Added to database: 4/7/2026, 4:46:29 PM
Last enriched: 4/7/2026, 5:01:10 PM
Last updated: 4/7/2026, 7:04:06 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.