Bug 2451155 (CVE-2026-4802)

Summary: CVE-2026-4802 cockpit: Cockpit: Arbitrary command execution via crafted links in system logs UI
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agk, duffy, jvanderwaa, rhel-process-autobot, security-response-team, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2480095    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-25 10:32:45 UTC
vulnerability in Cockpit’s system logs UI code (pkg/systemd/logsJournal.jsx, loadServiceFilters() path). The flaw is caused by building a command from an array, joining it into a single string with only space escaping, and then executing it via /bin/bash -ec. User-controlled parameters from the logs page (e.g., #/system/logs#/?since=...) reach this code path unsanitized and can include shell metacharacters such as command substitution ($(...)). A crafted link can therefore inject arbitrary shell commands into the constructed pipeline (set -o pipefail; ... | grep ... | sort -u) and execute them on the host. The provided PoC demonstrates writing the output of id into /tmp/cockpit-rce-proof, confirming code execution in the target environment.

Comment 2 errata-xmlrpc 2026-05-27 16:34:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:21390 https://access.redhat.com/errata/RHSA-2026:21390

Comment 3 errata-xmlrpc 2026-05-27 17:01:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:21395 https://access.redhat.com/errata/RHSA-2026:21395

Comment 4 errata-xmlrpc 2026-05-27 17:03:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:21394 https://access.redhat.com/errata/RHSA-2026:21394

Comment 5 errata-xmlrpc 2026-05-27 17:06:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:21392 https://access.redhat.com/errata/RHSA-2026:21392

Comment 6 errata-xmlrpc 2026-05-27 22:01:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:21468 https://access.redhat.com/errata/RHSA-2026:21468

Comment 7 errata-xmlrpc 2026-05-27 23:00:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:21515 https://access.redhat.com/errata/RHSA-2026:21515

Comment 8 errata-xmlrpc 2026-05-27 23:02:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:21516 https://access.redhat.com/errata/RHSA-2026:21516

Comment 9 errata-xmlrpc 2026-05-28 04:22:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:21647 https://access.redhat.com/errata/RHSA-2026:21647

Comment 10 errata-xmlrpc 2026-05-28 06:30:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:21676 https://access.redhat.com/errata/RHSA-2026:21676