{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24893", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T19:35:20.529Z", "datePublished": "2026-04-14T20:37:00.347Z", "dateUpdated": "2026-04-15T13:40:30.971Z"}, "containers": {"cna": {"title": "openITCOCKPIT has Authenticated Command Injection Leading to Remote Code Execution via Host Address Macro Expansion", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openITCOCKPIT/openITCOCKPIT/security/advisories/GHSA-789q-pw85-j2q2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openITCOCKPIT/openITCOCKPIT/security/advisories/GHSA-789q-pw85-j2q2"}, {"name": "https://github.com/openITCOCKPIT/openITCOCKPIT/releases/tag/openITCOCKPIT-5.5.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/openITCOCKPIT/openITCOCKPIT/releases/tag/openITCOCKPIT-5.5.2"}, {"name": "https://openitcockpit.io/blog/posts/2026/2026-04-14-openitcockpit-agent-3.6.0-and-5.5.2", "tags": ["x_refsource_MISC"], "url": "https://openitcockpit.io/blog/posts/2026/2026-04-14-openitcockpit-agent-3.6.0-and-5.5.2"}], "affected": [{"vendor": "openITCOCKPIT", "product": "openITCOCKPIT", "versions": [{"version": "< 5.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T20:37:00.347Z"}, "descriptions": [{"lang": "en", "value": "openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS commands on the monitoring backend. The vulnerability arises because user-controlled host attributes (specifically the host address) are expanded into monitoring command templates without validation, escaping, or quoting. These templates are later executed by the monitoring engine (Nagios/Icinga) via a shell, resulting in remote code execution. Version 5.5.2 patches the issue."}], "source": {"advisory": "GHSA-789q-pw85-j2q2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:40:22.140339Z", "id": "CVE-2026-24893", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:40:30.971Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24893", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T13:40:22.140339Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:40:27.440Z"}}], "cna": {"title": "openITCOCKPIT has Authenticated Command Injection Leading to Remote Code Execution via Host Address Macro Expansion", "source": {"advisory": "GHSA-789q-pw85-j2q2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openITCOCKPIT", "product": "openITCOCKPIT", "versions": [{"status": "affected", "version": "< 5.5.2"}]}], "references": [{"url": "https://github.com/openITCOCKPIT/openITCOCKPIT/security/advisories/GHSA-789q-pw85-j2q2", "name": "https://github.com/openITCOCKPIT/openITCOCKPIT/security/advisories/GHSA-789q-pw85-j2q2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openITCOCKPIT/openITCOCKPIT/releases/tag/openITCOCKPIT-5.5.2", "name": "https://github.com/openITCOCKPIT/openITCOCKPIT/releases/tag/openITCOCKPIT-5.5.2", "tags": ["x_refsource_MISC"]}, {"url": "https://openitcockpit.io/blog/posts/2026/2026-04-14-openitcockpit-agent-3.6.0-and-5.5.2", "name": "https://openitcockpit.io/blog/posts/2026/2026-04-14-openitcockpit-agent-3.6.0-and-5.5.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS commands on the monitoring backend. The vulnerability arises because user-controlled host attributes (specifically the host address) are expanded into monitoring command templates without validation, escaping, or quoting. These templates are later executed by the monitoring engine (Nagios/Icinga) via a shell, resulting in remote code execution. Version 5.5.2 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T20:37:00.347Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24893", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:40:30.971Z", "dateReserved": "2026-01-27T19:35:20.529Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T20:37:00.347Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS commands on the monitoring backend. The vulnerability arises because user-controlled host attributes (specifically the host address) are expanded into monitoring command templates without validation, escaping, or quoting. These templates are later executed by the monitoring engine (Nagios/Icinga) via a shell, resulting in remote code execution. Version 5.5.2 patches the issue."}], "id": "CVE-2026-24893", "lastModified": "2026-04-14T21:16:24.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T21:16:24.987", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openITCOCKPIT/openITCOCKPIT/releases/tag/openITCOCKPIT-5.5.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/openITCOCKPIT/openITCOCKPIT/security/advisories/GHSA-789q-pw85-j2q2"}, {"source": "security-advisories@github.com", "url": "https://openitcockpit.io/blog/posts/2026/2026-04-14-openitcockpit-agent-3.6.0-and-5.5.2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.5.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openITCOCKPIT", "source": "cna", "vendor": "openITCOCKPIT"}, "product": "openitcockpit", "vendor": "openitcockpit"}], "analysis": {"en": {"generated_at": "2026-04-14T22:26:40.179619+00:00", "value": {"mitigation_remediation": ["Upgrade to openITCOCKPIT 5.5.2 or later, which removes the unsanitised macro replacement.", "Limit host\u2011management permissions to trusted operators; restrict the ability to add or modify hosts to users who genuinely need it.", "Disable or tighten monitoring command templates that use the host address as a macro; review existing templates to ensure no shell invocation with raw user data.", "Monitor system logs for unexpected command execution and audit host configuration changes."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of openITCOCKPIT Community Edition released prior to 5.5.2 are affected. The flaw is tied to host configurations editable by users with host\u2011management rights, and the vendor has provided a patch in release 5.5.2 that removes the unsanitised macro expansion.", "description_and_impact": "openITCOCKPIT Community Edition before version 5.5.2 contains a command\u2011injection flaw that lets an authenticated user who can add or alter host definitions inject arbitrary operating\u2011system commands into the host address field. The value is incorporated into monitoring templates and passed to the monitoring engine (Nagios or Icinga) through a shell without sanitisation, escaping or quoting, allowing an attacker to execute any OS command on the backend and gain full control of the monitoring system.", "risk_and_exploitability": "With a CVSS score of 8.8, the vulnerability is classified as High. The exploit requires authenticated users who can modify host records, so attackers with compromised credentials or elevated privileges can immediately gain remote code execution. The lack of EPSS or KEV data does not reduce the risk, as the high severity score and the fact that the attack path exploits the monitoring engine\u2019s shell invocation point to a serious threat for environments using openITCOCKPIT."}}}}, "created": "2026-04-15T14:28:41.000353+00:00", "updated": "2026-04-15T14:41:09.770651+00:00", "vendors": ["openitcockpit", "openitcockpit$PRODUCT$openitcockpit"]}