Ghostwire

CVE-2026-57855: Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The...

HIGH CVSS 0.0

Published: July 13, 2026 | Last Modified: July 13, 2026

Description

Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfolder) without performing any ACL or role check. Any authenticated user, regardless of role, can perform all bucket operations on any named bucket, including buckets intended for admin use only.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (1 articles)

References