PatchSiren cyber security CVE debrief
CVE-2026-57856 Cockpit HQ CVE debrief
CVE-2026-57856 is a path traversal vulnerability in Cockpit CMS. The Bucket file storage API (/system/buckets/api) in Cockpit CMS is vulnerable to path traversal attacks. The vulnerability allows an authenticated low-privileged user to list, upload, and delete files across all buckets, including those belonging to other users or roles. This vulnerability has a high severity and requires immediate attention from administrators and users of Cockpit CMS.
- Vendor
- Cockpit HQ
- Product
- Cockpit CMS
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Administrators and users of Cockpit CMS should be aware of this vulnerability and take immediate action to mitigate the risk. This vulnerability can be exploited by an authenticated low-privileged user, which makes it a high-severity issue. The vulnerability affects Cockpit CMS and requires attention from operators, platform administrators, vulnerability management teams, and security teams.
Technical summary
The Bucket file storage API (/system/buckets/api) in Cockpit CMS contains a path traversal vulnerability. The api() method in modules/System/Controller/Buckets.php uses a regular expression to sanitize the bucket name, but it allows '..' and '../' sequences. This can be used by an authenticated low-privileged user to access files outside the intended directory. The vulnerability has a CVSS score of 8.7 and is classified as HIGH. The vulnerability affects Cockpit CMS and can be exploited by an authenticated low-privileged user.
Defensive priority
High
Recommended defensive actions
- Update Cockpit CMS to the latest version
- Restrict access to the Bucket file storage API
- Monitor for suspicious activity
- Implement additional security measures such as Web Application Firewalls (WAFs)
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-13T23:16:46.883Z and has not been modified since then. The NVD entry is currently 8.7 HIGH. This information is based on the NVD entry and the CVE record. The vulnerability affects Cockpit CMS, specifically the Bucket file storage API (/system/buckets/api). The vulnerability allows an authenticated low-privileged user to list, upload, and delete files across all buckets, including those belonging to other users or roles. Evidence limits suggest that further verification is needed to confirm affected scope and severity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T23:16:46.883Z and has not been modified since then.