CVE-2026-31891

Description

### Impact This is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any Cockpit CMS instance running version **2.13.4 or earlier** with API access enabled is potentially affected. **Who is impacted:** - Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly accessible or reachable by untrusted users. - Attackers in possession of a **valid read-only API key** (the lowest privilege level) can exploit this vulnerability — no admin access is required. **What an attacker can do:** - Inject arbitrary SQL via unsanitized field names in aggregation queries. - Bypass the `_state=1` published-content filter to access unpublished or restricted content. - Extract unauthorized data from the underlying SQLite content database. **Confidentiality impact is High.** Integrity and availability are not directly affected by this vulnerability. ### Patches This vulnerability has been **patched in version 2.13.5**. All users running Cockpit CMS version **2.13.4 or earlier** are strongly advised to upgrade to **2.13.5 or later** immediately. - https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5 The fix applies the same field-name sanitization introduced in v2.13.3 for `toJsonPath()` to the `toJsonExtractRaw()` method in `lib/MongoLite/Aggregation/Optimizer.php`, closing the injection vector in the Aggregation Optimizer.

Affected packages (1)

• Packagist/cockpit-hq/cockpitfrom 0, < 2.13.5

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-31891
• PATCHhttps://github.com/Cockpit-HQ/Cockpit
• WEBhttps://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5
• WEBhttps://github.com/Cockpit-HQ/Cockpit/security/advisories/GHSA-7x5c-vfhj-9628