CVE-2026-57855 in Cockpit CMSinfo

Summary

by MITRE • 07/14/2026

Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfolder) without performing any ACL or role check. Any authenticated user, regardless of role, can perform all bucket operations on any named bucket, including buckets intended for admin use only.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability identified in Cockpit CMS represents a critical authorization flaw that undermines the system's access control mechanisms within its Bucket file storage API. This issue resides in the /system/buckets/api endpoint where the api() method in modules/System/Controller/Buckets.php fails to implement proper authentication checks before executing bucket operations. The flaw allows any authenticated user to perform administrative-level actions on all buckets regardless of their assigned roles or permissions, effectively bypassing the intended security boundaries that should separate user access from privileged operations.

This missing authorization check creates a severe privilege escalation vector that directly violates fundamental security principles outlined in CWE-284 Access Control. The vulnerability specifically affects the bucket commands including ls listing, upload file operations, removefiles deletion, rename file operations, and createfolder creation functions within the system's storage management interface. When an authenticated user accesses these endpoints, they can execute any of these administrative operations against any named bucket in the system, including those designated for administrator-only use.

The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential data compromise and system integrity violations. An attacker with basic user credentials could systematically enumerate buckets, upload malicious files to sensitive storage areas, delete critical files from administrative repositories, rename important resources to disrupt operations, or create new folders in locations where such actions should be restricted. This comprehensive access allows for both destructive and stealthy attacks that can compromise the entire file storage infrastructure of the CMS.

The attack surface is particularly concerning given that Cockpit CMS typically serves as a content management system that may store sensitive user data, configuration files, and potentially application code within its bucket storage mechanisms. The vulnerability effectively neutralizes role-based access control implementations and allows for lateral movement across different security zones within the application's storage architecture. This issue aligns with ATT&CK technique T1078 Valid Accounts where an attacker leverages legitimate credentials to perform unauthorized actions beyond their intended scope.

Organizations should immediately implement mitigations including mandatory access control checks before any bucket operations, role-based permission validation for all API endpoints, and comprehensive logging of bucket operations for audit purposes. The fix requires implementing proper ACL verification within the api() method before executing any bucket commands, ensuring that only users with appropriate permissions can access specific buckets. Additionally, the system should enforce least privilege principles where user accounts are granted minimal required permissions rather than broad administrative capabilities, addressing the root cause of this authorization failure through proper security architecture implementation.

Responsible

VulnCheck

Reservation

06/25/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Interested in the pricing of exploits?

See the underground prices here!