UBUNTU-CVE-2026-31891

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-31891

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-31891.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-31891

Upstream

CVE-2026-31891

Published

2026-03-18T04:17:00Z

Modified

2026-03-25T19:49:01.062301Z

Severity

7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the /api/content/aggregate/{model} endpoint is publicly accessible or reachable by untrusted users may be vulnerable, and attackers in possession of a valid read-only API key (the lowest privilege level) can exploit this vulnerability — no admin access is required. An attacker can inject arbitrary SQL via unsanitized field names in aggregation queries, bypass the _state=1 published-content filter to access unpublished or restricted content, and extract unauthorized data from the underlying SQLite content database. This vulnerability has been patched in version 2.13.5. The fix applies the same field-name sanitization introduced in v2.13.3 for toJsonPath() to the toJsonExtractRaw() method in lib/MongoLite/Aggregation/Optimizer.php, closing the injection vector in the Aggregation Optimizer.

References

Affected packages

Ubuntu:18.04:LTS / cockpit

Package

Name: cockpit
Purl: pkg:deb/ubuntu/cockpit@164-1?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

Other

151-1

156-1

157-1

158-1

160-1

161-1

162-1

163-1

164-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "164-1",
            "binary_name": "cockpit"
        },
        {
            "binary_version": "164-1",
            "binary_name": "cockpit-bridge"
        },
        {
            "binary_version": "164-1",
            "binary_name": "cockpit-dashboard"
        },
        {
            "binary_version": "164-1",
            "binary_name": "cockpit-docker"
        },
        {
            "binary_version": "164-1",
            "binary_name": "cockpit-machines"
        },
        {
            "binary_version": "164-1",
            "binary_name": "cockpit-networkmanager"
        },
        {
            "binary_version": "164-1",
            "binary_name": "cockpit-packagekit"
        },
        {
            "binary_version": "164-1",
            "binary_name": "cockpit-storaged"
        },
        {
            "binary_version": "164-1",
            "binary_name": "cockpit-system"
        },
        {
            "binary_version": "164-1",
            "binary_name": "cockpit-tests"
        },
        {
            "binary_version": "164-1",
            "binary_name": "cockpit-ws"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-31891.json"

Ubuntu:20.04:LTS / cockpit

Package

Name: cockpit
Purl: pkg:deb/ubuntu/cockpit@215-1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

202.*

202.1-1

Other

204-1

206-1

207-1

208-1

210-1

211-1

212-1

213-1

215-1

214.*

214.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "215-1",
            "binary_name": "cockpit"
        },
        {
            "binary_version": "215-1",
            "binary_name": "cockpit-bridge"
        },
        {
            "binary_version": "215-1",
            "binary_name": "cockpit-dashboard"
        },
        {
            "binary_version": "215-1",
            "binary_name": "cockpit-machines"
        },
        {
            "binary_version": "215-1",
            "binary_name": "cockpit-networkmanager"
        },
        {
            "binary_version": "215-1",
            "binary_name": "cockpit-packagekit"
        },
        {
            "binary_version": "215-1",
            "binary_name": "cockpit-pcp"
        },
        {
            "binary_version": "215-1",
            "binary_name": "cockpit-storaged"
        },
        {
            "binary_version": "215-1",
            "binary_name": "cockpit-system"
        },
        {
            "binary_version": "215-1",
            "binary_name": "cockpit-tests"
        },
        {
            "binary_version": "215-1",
            "binary_name": "cockpit-ws"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-31891.json"

Ubuntu:22.04:LTS / cockpit

Package

Name: cockpit
Purl: pkg:deb/ubuntu/cockpit@264-1ubuntu0.22.04.1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

Other

252-1

256-1

257-1

258-1

259-1

260-1

261-1

262-1

263-1

264-1

264-1ubuntu0.*

264-1ubuntu0.22.04.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "264-1ubuntu0.22.04.1",
            "binary_name": "cockpit"
        },
        {
            "binary_version": "264-1ubuntu0.22.04.1",
            "binary_name": "cockpit-bridge"
        },
        {
            "binary_version": "264-1ubuntu0.22.04.1",
            "binary_name": "cockpit-networkmanager"
        },
        {
            "binary_version": "264-1ubuntu0.22.04.1",
            "binary_name": "cockpit-packagekit"
        },
        {
            "binary_version": "264-1ubuntu0.22.04.1",
            "binary_name": "cockpit-pcp"
        },
        {
            "binary_version": "264-1ubuntu0.22.04.1",
            "binary_name": "cockpit-sosreport"
        },
        {
            "binary_version": "264-1ubuntu0.22.04.1",
            "binary_name": "cockpit-storaged"
        },
        {
            "binary_version": "264-1ubuntu0.22.04.1",
            "binary_name": "cockpit-system"
        },
        {
            "binary_version": "264-1ubuntu0.22.04.1",
            "binary_name": "cockpit-tests"
        },
        {
            "binary_version": "264-1ubuntu0.22.04.1",
            "binary_name": "cockpit-ws"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-31891.json"

Ubuntu:24.04:LTS / cockpit

Package

Name: cockpit
Purl: pkg:deb/ubuntu/cockpit@314-1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

300.*

300.1-1

Other

303-1

304-1

305-1

306-1

307-1

308-1

309-1

311-1

312-1build2

314-1

310.*

310.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "314-1",
            "binary_name": "cockpit"
        },
        {
            "binary_version": "314-1",
            "binary_name": "cockpit-bridge"
        },
        {
            "binary_version": "314-1",
            "binary_name": "cockpit-networkmanager"
        },
        {
            "binary_version": "314-1",
            "binary_name": "cockpit-packagekit"
        },
        {
            "binary_version": "314-1",
            "binary_name": "cockpit-pcp"
        },
        {
            "binary_version": "314-1",
            "binary_name": "cockpit-sosreport"
        },
        {
            "binary_version": "314-1",
            "binary_name": "cockpit-storaged"
        },
        {
            "binary_version": "314-1",
            "binary_name": "cockpit-system"
        },
        {
            "binary_version": "314-1",
            "binary_name": "cockpit-tests"
        },
        {
            "binary_version": "314-1",
            "binary_name": "cockpit-ws"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-31891.json"

Ubuntu:25.10 / cockpit

Package

Name: cockpit
Purl: pkg:deb/ubuntu/cockpit@346-1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

Other

333-1

337-1

339-1

342-1

343-1

345-1

346-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "346-1",
            "binary_name": "cockpit"
        },
        {
            "binary_version": "346-1",
            "binary_name": "cockpit-bridge"
        },
        {
            "binary_version": "346-1",
            "binary_name": "cockpit-networkmanager"
        },
        {
            "binary_version": "346-1",
            "binary_name": "cockpit-packagekit"
        },
        {
            "binary_version": "346-1",
            "binary_name": "cockpit-sosreport"
        },
        {
            "binary_version": "346-1",
            "binary_name": "cockpit-storaged"
        },
        {
            "binary_version": "346-1",
            "binary_name": "cockpit-system"
        },
        {
            "binary_version": "346-1",
            "binary_name": "cockpit-ws"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-31891.json"