vulnerability in Cockpit’s system logs UI code (pkg/systemd/logsJournal.jsx, loadServiceFilters() path). The flaw is caused by building a command from an array, joining it into a single string with only space escaping, and then executing it via /bin/bash -ec. User-controlled parameters from the logs page (e.g., #/system/logs#/?since=...) reach this code path unsanitized and can include shell metacharacters such as command substitution ($(...)). A crafted link can therefore inject arbitrary shell commands into the constructed pipeline (set -o pipefail; ... | grep ... | sort -u) and execute them on the host. The provided PoC demonstrates writing the output of id into /tmp/cockpit-rce-proof, confirming code execution in the target environment.
This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:21390 https://access.redhat.com/errata/RHSA-2026:21390
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:21395 https://access.redhat.com/errata/RHSA-2026:21395
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:21394 https://access.redhat.com/errata/RHSA-2026:21394
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:21392 https://access.redhat.com/errata/RHSA-2026:21392
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:21468 https://access.redhat.com/errata/RHSA-2026:21468
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:21515 https://access.redhat.com/errata/RHSA-2026:21515
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:21516 https://access.redhat.com/errata/RHSA-2026:21516
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:21647 https://access.redhat.com/errata/RHSA-2026:21647
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:21676 https://access.redhat.com/errata/RHSA-2026:21676
Upstream advisory: https://github.com/cockpit-project/cockpit/security/advisories/GHSA-6jmq-qw8f-w3r6 Upstream commit: https://github.com/cockpit-project/cockpit/commit/e3a47d70f99a0dbbb427b3146ae9571cecc44296 Fixed upstream in versions 362 and 356.2.