Cockpit: Unauthenticated Remote Code Execution via SSH Argument Injection

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Cockpit: Unauthenticated Remote Code Execution via SSH Argument Injection

MGASA-2026-0099

Summary

Cockpit's SSH server may allow an attacker to execute arbitrary code without a password. This affects systems using Cockpit and SSH. Update Cockpit to the latest version to fix this vulnerability.

What to do

Update cockpit to version 338-1.7.mga9.

Affected software

Ecosystem	Vendor	Product	Affected versions
Mageia:9	–	cockpit	< 338-1.7.mga9 Fix: upgrade to 338-1.7.mga9

Original title

Updated cockpit-338 packages fix security vulnerability

Original description

Unauthenticated remote code execution due to ssh command-line argument
injection. (CVE-2026-4631)

https://advisories.mageia.org/MGASA-2026-0099.html Vendor Advisory
https://bugs.mageia.org/show_bug.cgi?id=35351 Third Party Advisory

Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026