Cockpit CMS authenticated RCE (CVE-2026-34965)

Vendor-confirmed - CVE-2026-34965 is a high-severity authenticated remote code execution vulnerability in Cockpit CMS that lets attackers with collection management privileges inject arbitrary PHP code and execute commands on the underlying server. Patched versions are available from the Cockpit CMS maintainers; apply immediately.

Overview

CVE-2026-34965 is an authenticated remote code execution (RCE) vulnerability found in the Cockpit CMS /cockpit/collections/save_collection endpoint. An attacker who has authenticated access to the CMS and holds collection management privileges can inject malicious PHP code into collection rule parameters. This injected code is written directly to server-side PHP files and then executed via PHP’s include() function, allowing the attacker to run arbitrary system commands on the web server.

The vulnerability has a CVSS score of 8.8 (High) due to its low attack complexity, low privileges required, and network-based attack vector with no user interaction needed.

Impact

Successful exploitation of CVE-2026-34965 enables an authenticated attacker with standard collection management privileges to:

• Execute arbitrary operating system commands on the web server
• Read, modify, or delete sensitive files and data
• Install persistent backdoors or malware
• Potentially move laterally within the network if the server has additional access

This vulnerability effectively grants the attacker full control of the affected Cockpit CMS server, compromising all data processed or stored by the application.

Affected Versions

All versions of Cockpit CMS prior to the patched release are vulnerable. The Cockpit CMS team released patches for this vulnerability in [insert patched version number].

Remediation

1. Update Cockpit CMS to the latest patched version immediately.
2. Review collection rules in existing deployments for any signs of unauthorized modifications or injected PHP code.
3. Audit server logs for suspicious activity related to the /cockpit/collections/save_collection endpoint.
4. Restrict access to the Cockpit CMS admin panel to only trusted network segments and users.
5. Implement Web Application Firewall (WAF) rules to block malicious input patterns in request parameters.

Security Insight

CVE-2026-34965 follows a recurring pattern in content management systems where trusted administrative interfaces become vectors for code injection. The vulnerability is particularly concerning because it requires only low privileges to exploit - a user with basic collection editing rights can gain full server control. This highlights the critical importance of strict privilege separation and input validation even for authenticated operations. Administrators should treat any CMS endpoint that writes to the filesystem as a high-risk attack surface. For ongoing coverage of data breaches and cybersecurity threats, visit our security news section.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs