CVE-2026-38993

Vulnerability

Description

CVE-2026-38993 is a directory traversal vulnerability affecting Cockpit CMS versions 2.13.5 and earlier. The flaw resides in the Buckets component, where the component, insufficient input validation allows an authenticated attacker to escape the intended directory [3]. This enables writing files to arbitrary locations within the uploads directory or overwriting existing assets with malicious versions [3].

Attack

Vector

An attacker must first obtain valid authentication credentials for the Cockpit CMS instance [1][3]. Once authenticated, they exploit the Buckets component's missing path sanitization to validation write arbitrary files outside the normal asset storage area [1]. The attack complexity is low, as no additional privileges beyond standard user access are required, and the only prerequisite is a valid session [1][2].

Impact

Successful exploitation can lead to unauthorized modification of stored assets, potential file uploads to sensitive directories, and in certain configurations, may serve as a stepping stone for further attacks such as arbitrary code execution. The disclosure notes that this vulnerability was part of a batch of issues reported together with an arbitrary code execution flaw (CVE-2026-38992), suggesting the directory traversal could be chained with other bugs for greater effect [1][2].

Mitigation

The vendor responded within seven hours of disclosure and released a patch in version 2.14.0 on March 30, 2026 [1][2]. All users running Cockpit CMS 2.13.5 or earlier are strongly advised to upgrade to version 2.14.0 or later to remediate this vulnerability [4].