← voltar
CVE-2026-57855

Cockpit CMS Missing Authorization in Bucket File Storage API

CVSS 8.7 HIGHCWE-284
Vexday Risk Score
18Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.7EPSS KEV nãoPoC Nuclei Metasploit Patch referenciado
Ciclo de vida
13 jul 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfolder) without performing any ACL or role check. Any authenticated user, regardless of role, can perform all bucket operations on any named bucket, including buckets intended for admin use only.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Produtos afetados
Cockpit HQ · Cockpit CMS