CVE-2026-38991: Cockpit Vulnerable to Unrestricted Upload of File with Dangerous Type

April 29, 2026 (updated May 6, 2026)

Cockpit versions 2.13.5 and earlier are affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary code to be executed on the underlying server.

References

felsec.com/posts/cockpit-cms-2.13.5-multi-vulns
github.com/Cockpit-HQ/Cockpit
github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0
github.com/advisories/GHSA-j2rx-4jg9-79mw
nvd.nist.gov/vuln/detail/CVE-2026-38991

Code Behaviors & Features

Detect and mitigate CVE-2026-38991 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →