PT-2026-25975 · Cockpit Hq+1 · Cockpit+1
Published
2026-03-17
·
Updated
2026-03-18
·
CVE-2026-31891
CVSS v3.1
7.7
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Impact
This is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer.
Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled
is potentially affected.
Who is impacted:
- Any deployment where the
/api/content/aggregate/{model}endpoint is publicly accessible or reachable by untrusted users. - Attackers in possession of a valid read-only API key (the lowest privilege level) can exploit this vulnerability — no admin access is required.
What an attacker can do:
- Inject arbitrary SQL via unsanitized field names in aggregation queries.
- Bypass the
state=1published-content filter to access unpublished or restricted content. - Extract unauthorized data from the underlying SQLite content database.
Confidentiality impact is High. Integrity and availability are not directly affected
by this vulnerability.
Patches
This vulnerability has been patched in version 2.13.5.
All users running Cockpit CMS version 2.13.4 or earlier are strongly advised to
upgrade to 2.13.5 or later immediately.
The fix applies the same field-name sanitization introduced in v2.13.3 for
toJsonPath()
to the toJsonExtractRaw() method in lib/MongoLite/Aggregation/Optimizer.php,
closing the injection vector in the Aggregation Optimizer.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cockpit
Cockpit-Hq/Cockpit