Red Hat Security Advisory: cockpit: Unauthenticated remote code execution due to SSH command-line argument injection
A critical vulnerability (CVE-2026-4631) in Cockpit, a web-based server administration tool for GNU/Linux, allows unauthenticated remote code execution via SSH command-line argument injection. This issue arises from improper handling of hostnames on the command line in the cockpit-ws component. Red Hat has issued a security advisory (RHSA-2026:7384) addressing this vulnerability with updated packages for Red Hat Enterprise Linux 9 and its variants. The vulnerability is associated with CWE-78 (OS Command Injection).
AI Analysis
Technical Summary
Cockpit is a web-based interface for administering GNU/Linux servers, providing features such as network configuration, log inspection, and interactive command-line sessions. The vulnerability CVE-2026-4631 involves unauthenticated remote code execution caused by SSH command-line argument injection due to insufficient sanitization of hostnames in the cockpit-ws component. Red Hat has released an update for Red Hat Enterprise Linux 9 to explicitly handle hostnames more securely on the command line, mitigating this issue. The advisory does not provide a CVSS score but rates the severity as critical.
Potential Impact
Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code remotely on affected systems via the cockpit web service. This could lead to full system compromise given the critical severity rating and the nature of remote code execution.
Mitigation Recommendations
Red Hat has released updated cockpit packages for Red Hat Enterprise Linux 9 and its Extended Update Support and Extended Life Cycle variants that fix this vulnerability. Users should apply these updates promptly. Before applying this update, ensure all previously released errata relevant to the system have been applied. Refer to Red Hat's official update instructions at https://access.redhat.com/articles/11258. No alternative mitigations or workarounds are specified in the advisory.
Red Hat Security Advisory: cockpit: Unauthenticated remote code execution due to SSH command-line argument injection
Description
A critical vulnerability (CVE-2026-4631) in Cockpit, a web-based server administration tool for GNU/Linux, allows unauthenticated remote code execution via SSH command-line argument injection. This issue arises from improper handling of hostnames on the command line in the cockpit-ws component. Red Hat has issued a security advisory (RHSA-2026:7384) addressing this vulnerability with updated packages for Red Hat Enterprise Linux 9 and its variants. The vulnerability is associated with CWE-78 (OS Command Injection).
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Cockpit is a web-based interface for administering GNU/Linux servers, providing features such as network configuration, log inspection, and interactive command-line sessions. The vulnerability CVE-2026-4631 involves unauthenticated remote code execution caused by SSH command-line argument injection due to insufficient sanitization of hostnames in the cockpit-ws component. Red Hat has released an update for Red Hat Enterprise Linux 9 to explicitly handle hostnames more securely on the command line, mitigating this issue. The advisory does not provide a CVSS score but rates the severity as critical.
Potential Impact
Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code remotely on affected systems via the cockpit web service. This could lead to full system compromise given the critical severity rating and the nature of remote code execution.
Mitigation Recommendations
Red Hat has released updated cockpit packages for Red Hat Enterprise Linux 9 and its Extended Update Support and Extended Life Cycle variants that fix this vulnerability. Users should apply these updates promptly. Before applying this update, ensure all previously released errata relevant to the system have been applied. Refer to Red Hat's official update instructions at https://access.redhat.com/articles/11258. No alternative mitigations or workarounds are specified in the advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:7384
- Cve Count
- 1
- Additional Cves
- []
- Cvss Version
- null
Threat ID: 6a3da1be4853345fc181bd02
Added to database: 06/25/2026, 21:46:38 UTC
Last enriched: 06/25/2026, 21:50:26 UTC
Last updated: 06/25/2026, 23:09:02 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.