cockpit-344-2.el9_7.ML.1

エラータID: AXSA:2026-473:03

Release date: 
Tuesday, April 21, 2026 - 11:39
Subject: 
cockpit-344-2.el9_7.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Cockpit enables users to administer GNU/Linux servers using a web browser. It
offers network configuration, log inspection, diagnostic reports, SELinux
troubleshooting, interactive command-line sessions, and more.

Security Fix(es):

* cockpit: ws: be more explicit when handling hostnames on cli (CVE-2026-4631)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2026-4631
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

Solution: 

Update packages.

CVEs: 
CVE-2026-4631
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
Additional Info: 

N/A

Download: 

SRPMS
  1. cockpit-344-2.el9_7.ML.1.src.rpm
    MD5: 21da543ea4939c1ad7a3c07ae8d0f998
    SHA-256: 90544cd6cbab73dca47756e2843f7dcd7246c3696069a3c2f313955bce05d0ca
    Size: 14.29 MB

Asianux Server 9 for x86_64
  1. cockpit-344-2.el9_7.ML.1.x86_64.rpm
    MD5: d3bb53da466bf07b3caf5bd536255cd2
    SHA-256: 918d867dbbe151d34cac74947f2cb0ce4bfced014db6208728c3749dc5c245ef
    Size: 39.73 kB
  2. cockpit-bridge-344-2.el9_7.ML.1.noarch.rpm
    MD5: b0eb7c570f289835bb0fa08c9d280a70
    SHA-256: 8be2fc7d45aa913a239171d9065f3aad870986773ca54adc2d18be61ba99cd71
    Size: 608.45 kB
  3. cockpit-doc-344-2.el9_7.ML.1.noarch.rpm
    MD5: 7fd9e53c5ce4ee9f4a7c113950711c9e
    SHA-256: f9230d4c3978b67f5439b98103948bdb63707b3d1cf717d7c9726d5bd7d33553
    Size: 169.39 kB
  4. cockpit-packagekit-344-2.el9_7.ML.1.noarch.rpm
    MD5: 1a528c6a05f8bf0c96a405e213f637fc
    SHA-256: 2cbb5e9cf68d12bb7fbbf211be866f46cb56e9852bc78565873e2bb7c92c9d14
    Size: 918.08 kB
  5. cockpit-storaged-344-2.el9_7.ML.1.noarch.rpm
    MD5: 0689e4ac6a1a1a443b5a4920b41bc194
    SHA-256: 173aa02c0f0109818f1dd9c3d1a841cf309a0652e1e52b72918663cbed7d7aa0
    Size: 856.24 kB
  6. cockpit-system-344-2.el9_7.ML.1.noarch.rpm
    MD5: 54c798f3c57373e2d042681faea0dfb2
    SHA-256: 8a30f17e42595eec44c5d54975d166743a1930dcdd8de62c2954b945493b957a
    Size: 5.30 MB
  7. cockpit-ws-344-2.el9_7.ML.1.x86_64.rpm
    MD5: fc5ea044d91941af5b2653c954b84c83
    SHA-256: ec848865d4c132a376a521b89b1c557d66ce933626a4121fc4e8ccfc2412362a
    Size: 1.07 MB
  8. cockpit-ws-selinux-344-2.el9_7.ML.1.x86_64.rpm
    MD5: ab9dcda4c0027f636127fc8cb52bbf53
    SHA-256: 72cb6522b6215ed473f40cbaa441d1d319e26ba8e00051f430b1badf8e1c4fe9
    Size: 42.38 kB