Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-57855

Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-284 Control de acceso incorrecto
Fecha de publicación:
13/07/2026
Última modificación:
13/07/2026

Descripción

*** Pendiente de traducción *** Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfolder) without performing any ACL or role check. Any authenticated user, regardless of role, can perform all bucket operations on any named bucket, including buckets intended for admin use only.