CVE-2026-31891: Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()

March 17, 2026 (updated March 19, 2026)

This is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer.

Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected.

Who is impacted:

Any deployment where the /api/content/aggregate/{model} endpoint is publicly accessible or reachable by untrusted users.
Attackers in possession of a valid read-only API key (the lowest privilege level) can exploit this vulnerability — no admin access is required.

What an attacker can do:

Inject arbitrary SQL via unsanitized field names in aggregation queries.
Bypass the _state=1 published-content filter to access unpublished or restricted content.
Extract unauthorized data from the underlying SQLite content database.

Confidentiality impact is High. Integrity and availability are not directly affected by this vulnerability.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-31891 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →