CVE-2026-31891

Name of the Vulnerable Software and Affected Versions Cockpit versions 2.13.4 and earlier

Description Cockpit is a headless content management system. Instances running version 2.13.4 or earlier with API access enabled are susceptible to a SQL Injection issue in the MongoLite Aggregation Optimizer. The /api/content/aggregate/{model} API endpoint, when publicly accessible or reachable by untrusted users, presents a risk. An attacker with a valid read-only API key can inject arbitrary SQL through unsanitized field names in aggregation queries. This allows bypassing the state=1 published-content filter to access unpublished or restricted content and extract unauthorized data from the underlying SQLite content database. The toJsonExtractRaw() function in lib/MongoLite/Aggregation/Optimizer.php is the source of the issue.

Recommendations Upgrade to version 2.13.5 or later.