CVE-2026-57855
Cockpit CMS Missing Authorization in Bucket File Storage API
Vexday Risk Score
18Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 8.7EPSS —KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Ciclo de vida
13 jul 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfolder) without performing any ACL or role check. Any authenticated user, regardless of role, can perform all bucket operations on any named bucket, including buckets intended for admin use only.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Productos afectados
Cockpit HQ · Cockpit CMS