CVE-2026-57856 in Cockpit CMSinfo

Summary

by MITRE • 07/14/2026

Cockpit CMS contains a path traversal vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php sanitizes the bucket name with preg_replace('/[^a-zA-Z0-9-_\\.]/','', $bucket), which permits '..' and '../' sequences. The sanitized value is interpolated into a Flysystem path as uploads://buckets/{bucket}. Flysystem's WhitespacePathNormalizer resolves 'buckets/..' to the empty string (the uploads storage root) without raising PathTraversalDetected because the '..' has a preceding component to consume. An authenticated low-privileged user can send a crafted request with a '../' bucket name to list, upload, and delete files across all buckets, including those belonging to other users or roles

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability under examination represents a critical path traversal flaw within Cockpit CMS's Bucket file storage API, specifically affecting the system's handling of bucket names through the /system/buckets/api endpoint. This weakness stems from inadequate input sanitization mechanisms that fail to properly validate and sanitize user-supplied bucket identifiers, creating a pathway for unauthorized access to sensitive data across multiple user accounts and system resources. The vulnerability manifests in the api() method located within modules/System/Controller/Buckets.php where the preg_replace('/[^a-zA-Z0-9-_\\.]/','', $bucket) function is employed to sanitize bucket names, yet this sanitization process explicitly permits dangerous sequences including '..' and '../' components that are essential for path traversal attacks.

The technical implementation of this vulnerability exploits the interaction between Cockpit's input validation logic and Flysystem's path normalization capabilities. While the system correctly removes potentially malicious characters from bucket names, it fails to address the specific case where directory traversal sequences like '../' remain intact within the sanitized output. When these sanitized values are interpolated into the Flysystem path construction as uploads://buckets/{bucket}, the WhitespacePathNormalizer component in Flysystem processes these sequences by resolving 'buckets/..' to an empty string representing the uploads storage root directory. This behavior, while intended to prevent traditional path traversal attacks, inadvertently creates a security loophole because it does not properly detect or reject the malicious '..' sequences that have been explicitly allowed through the initial sanitization process.

The operational impact of this vulnerability extends far beyond simple data access issues, as it fundamentally compromises the principle of least privilege and user isolation within the CMS environment. An authenticated low-privileged user can leverage this flaw to execute arbitrary operations across all buckets stored within the system, including listing contents of other users' buckets, uploading malicious files to shared directories, and deleting critical files belonging to different accounts or roles. This cross-user data exposure creates significant security implications for multi-tenant environments where multiple users operate within the same CMS instance, potentially enabling attackers to access confidential content, disrupt services, or establish persistent backdoors through strategic file uploads.

This vulnerability aligns with several industry standard classifications including CWE-23 (Relative Path Traversal) and CWE-73 (External Control of File Name or Path) as it demonstrates how insufficient input validation can lead to unauthorized file system access. From an ATT&CK framework perspective, this represents a privilege escalation technique through the use of insecure file handling mechanisms and potentially enables lateral movement within the file system by allowing attackers to access resources beyond their intended scope. The vulnerability also maps to ATT&CK technique T1078 (Valid Accounts) since it leverages authenticated user credentials to perform unauthorized actions, and potentially T1566 (Phishing) if attackers use this vulnerability as part of a broader attack chain following initial compromise through social engineering.

Effective mitigation strategies must address both the immediate technical flaw and implement comprehensive security controls to prevent similar vulnerabilities from emerging in other components. The primary fix involves strengthening input validation in the bucket name sanitization process by explicitly removing or rejecting all directory traversal sequences, including '..' and '../', rather than allowing them to persist through the sanitization filter. Organizations should also implement proper access control mechanisms that enforce strict bucket-level isolation, ensuring that users cannot enumerate or access buckets belonging to other accounts regardless of input validation failures. Additionally, system administrators should consider implementing file system monitoring solutions that can detect suspicious file operations and maintain detailed audit logs for all bucket-related activities to enable rapid incident response when such vulnerabilities are exploited in the wild.

Responsible

VulnCheck

Reservation

06/25/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!