GHSA-7X5C-VFHJ-9628

Vulnerability from github – Published: 2026-03-17 17:07 – Updated: 2026-03-19 19:01
VLAI?
Summary
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
Details

Impact

This is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer.

Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected.

Who is impacted: - Any deployment where the /api/content/aggregate/{model} endpoint is publicly accessible or reachable by untrusted users. - Attackers in possession of a valid read-only API key (the lowest privilege level) can exploit this vulnerability — no admin access is required.

What an attacker can do: - Inject arbitrary SQL via unsanitized field names in aggregation queries. - Bypass the _state=1 published-content filter to access unpublished or restricted content. - Extract unauthorized data from the underlying SQLite content database.

Confidentiality impact is High. Integrity and availability are not directly affected by this vulnerability.

Patches

This vulnerability has been patched in version 2.13.5.

All users running Cockpit CMS version 2.13.4 or earlier are strongly advised to upgrade to 2.13.5 or later immediately.

  • https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5

The fix applies the same field-name sanitization introduced in v2.13.3 for toJsonPath() to the toJsonExtractRaw() method in lib/MongoLite/Aggregation/Optimizer.php, closing the injection vector in the Aggregation Optimizer.

Severity ?
7.7 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "cockpit-hq/cockpit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T17:07:41Z",
    "nvd_published_at": "2026-03-18T04:17:19Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThis is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer.\n\nAny Cockpit CMS instance running version **2.13.4 or earlier** with API access enabled\nis potentially affected.\n\n**Who is impacted:**\n- Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly\n  accessible or reachable by untrusted users.\n- Attackers in possession of a **valid read-only API key** (the lowest privilege level)\n  can exploit this vulnerability \u2014 no admin access is required.\n\n**What an attacker can do:**\n- Inject arbitrary SQL via unsanitized field names in aggregation queries.\n- Bypass the `_state=1` published-content filter to access unpublished or restricted content.\n- Extract unauthorized data from the underlying SQLite content database.\n\n**Confidentiality impact is High.** Integrity and availability are not directly affected\nby this vulnerability.\n\n### Patches\n\nThis vulnerability has been **patched in version 2.13.5**.\n\nAll users running Cockpit CMS version **2.13.4 or earlier** are strongly advised to\nupgrade to **2.13.5 or later** immediately.\n\n- https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5\n\nThe fix applies the same field-name sanitization introduced in v2.13.3 for `toJsonPath()`\nto the `toJsonExtractRaw()` method in `lib/MongoLite/Aggregation/Optimizer.php`,\nclosing the injection vector in the Aggregation Optimizer.",
  "id": "GHSA-7x5c-vfhj-9628",
  "modified": "2026-03-19T19:01:18Z",
  "published": "2026-03-17T17:07:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Cockpit-HQ/Cockpit/security/advisories/GHSA-7x5c-vfhj-9628"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31891"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Cockpit-HQ/Cockpit"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw() "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.