CVE-2026-4802

Red Hat · Cockpit

An OS command injection vulnerability exists in Red Hat Cockpit, allowing authenticated low-privileged users to execute arbitrary commands on the host system.

Executive summary

A critical OS command injection vulnerability in Red Hat Cockpit could allow authenticated attackers to achieve full system compromise.

Vulnerability

This is an OS Command Injection (CWE-78) vulnerability. It requires an attacker to have authenticated access (low privileges) and involves the interaction of malicious input with system-level commands.

Business impact

Successful exploitation allows an attacker to execute arbitrary commands with the privileges of the Cockpit service, potentially leading to a full system takeover. Given the CVSS score of 8.0, this represents a high-risk scenario where unauthorized access can result in complete data exfiltration, service disruption, or lateral movement within the network.

Remediation

Immediate Action: Apply the relevant security errata provided by Red Hat (e.g., RHSA-2026:21390 and associated links) to update the Cockpit package to the specified fixed versions.

Proactive Monitoring: Review system and application logs for unexpected command execution patterns or suspicious process spawning originating from the Cockpit user context.

Compensating Controls: Implement strict network segmentation to limit access to the Cockpit management interface to trusted administrative subnets only.

Exploitation status

Public Exploit Available: Yes — a public proof-of-concept exists on GitHub.

Analyst recommendation

The vulnerability presents a significant risk to the integrity and availability of RHEL-based systems. Administrators should prioritize the deployment of the provided security errata across all affected RHEL 8 and 10 environments to mitigate the threat of remote command execution.