CVE-2026-4631: Critical 9.8 RCE Flaw in Cockpit Allows Unauthenticated Server Takeover

In the world of Linux server management, ease of use and security are intended to go hand-in-hand. However, a critical vulnerability discovered in Cockpit, the lightweight and popular interactive server admin interface, has turned that convenience into a potential crisis for system administrators.

The vulnerability, tracked as CVE-2026-4631, carries a CVSS score of 9.8. It allows unauthenticated attackers to achieve full Remote Code Execution (RCE) on the Cockpit host—without needing a single valid credential.

The flaw lies within Cockpit’s remote login feature, which allows the software to interact directly with the operating system from a real Linux session in a browser. When a user attempts to log in via the web interface, the system passes user-supplied hostnames and usernames directly to the underlying SSH client.

In affected versions, this transfer happens without any validation or sanitization. By carefully crafting a single HTTP request to the login endpoint, an attacker with network access can inject malicious SSH options or shell commands.

Crucially, the injection occurs during the authentication flow before any credential verification takes place. This means that the vulnerability can be exploited by anyone capable of reaching the web service, bypassing the login screen entirely.

Because Cockpit is designed to provide an interactive admin interface for entire servers, the impact of unauthorized code execution is absolute. An attacker who successfully exploits this SSH command-line argument injection effectively assumes control of the host system. Given its 9.8 severity rating, this represents a “patch now” emergency for all exposed installations.

The Cockpit development team has released a definitive fix to address this critical exposure.

• Upgrade Immediately: The primary recommendation for all users is to upgrade to Cockpit version 360.
• Backporting Patches: For organizations unable to perform a full version jump, administrators can backport specific patches. These include commit 9d0695647 and a fix for the ferny session management component (allisonkarlitskaya/ferny@44ec511c99) that targets src/cockpit/_vendor/ferny/session.py.
• Official OS Support: An official Debian patch is available that incorporates both fixes and is applicable to recent Cockpit versions.

If an immediate upgrade is not feasible, a temporary workaround is available: disabling the “Login To” option in the cockpit.conf configuration file. While this disables the direct login feature and mitigates the immediate risk of injection, the development team strongly recommends a full upgrade to version 360 as soon as possible.