CVE-2026-38993: Cockpit is vulnerable to directory traversal

April 29, 2026 (updated May 6, 2026)

Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions.

References

felsec.com/posts/cockpit-cms-2.13.5-multi-vulns
github.com/Cockpit-HQ/Cockpit
github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0
github.com/advisories/GHSA-p46p-7pmj-m34f
nvd.nist.gov/vuln/detail/CVE-2026-38993

Code Behaviors & Features

Detect and mitigate CVE-2026-38993 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →