Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.
AnalysisAI
OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attackers with hijacked tokens to lock out legitimate users and maintain persistent access to compromised accounts including administrator accounts. Publicly available exploit code demonstrates the attack chain. All versions prior to 6.10.5 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The vendor has released patched versions 6.10.5 and 7.0.0-rc3 that enforce password-only verification during password change operations.
Technical ContextAI
OpenC3 COSMOS is a command-and-control system for embedded systems and spacecraft operations. The vulnerability exists in the authentication model (authentication.rb and auth_model.rb) where the verify_no_service() function accepted both passwords and session tokens interchangeably for user authentication verification. This design flaw stems from CWE-620 (Unverified Password Change), where the password change endpoint failed to distinguish between credential types. The authentication controller called verify_no_service with no_password:false, allowing tokens to pass password verification checks. The fix introduces a mode parameter (:password, :token, :any) to explicitly enforce password-only verification during password reset operations, preventing session tokens from being accepted when old_password validation is required. The authentication model caches both session tokens (SESSIONS_KEY Redis hash) and password hashes (PRIMARY_KEY using Argon2) with separate TTLs, and the original implementation checked both stores without distinguishing the authentication context.
RemediationAI
Upgrade to OpenC3 COSMOS version 6.10.5 (for 6.x stable deployments) or version 7.0.0-rc3 (for 7.0 release candidate deployments) per vendor releases at https://github.com/OpenC3/cosmos/releases/tag/v6.10.5 and https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3. The fix is implemented in commit 2e623714e3426d5ae81b6f8239d4a2a6937ef776, which modifies authentication.rb and auth_model.rb to enforce password-only verification during password change operations via a new mode parameter. If immediate patching is not feasible, implement compensating controls: (1) Force re-authentication with password (not just session validity) before allowing administrative actions including password changes, achievable through custom middleware or reverse proxy logic but requires code modification; (2) Implement aggressive session token rotation with maximum 15-minute TTLs and revoke all sessions on password change via Redis SESSIONS_KEY flush, reducing attacker persistence window but degrades user experience with frequent re-logins; (3) Enable comprehensive audit logging of all password change events with session token fingerprints (IP, user-agent) and alert on password changes from anomalous sources, providing detection but not prevention; (4) Restrict COSMOS access to trusted networks via firewall rules or VPN-only access, reducing session token theft vectors but impedes operational flexibility for remote operators. Note that these compensating controls require custom development effort and do not address the root cause - patching is the definitive solution.
Critical remote code execution vulnerability in OpenC3 COSMOS v6.0.0's Plugin Management component that allows unauthent
OpenC3 COSMOS versions before v6.0.2 contain hardcoded credentials embedded in the Service Account, allowing unauthentic
Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable br
Critical directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 affecting the /script-api/scripts/ end
Directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 that allows unauthenticated remote attackers to
A security vulnerability in OpenC3 COSMOS (CVSS 7.5) that allows attackers. Risk factors: public PoC available.
A cross-site scripting (XSS) vulnerability in OpenC3 COSMOS before v6.0.2 allows attackers to execute arbitrary web scri
SQL injection in OpenC3 COSMOS 6.7.0 to 7.0.0-rc2 allows authenticated users with minimal 'tlm' (telemetry viewer) privi
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.
Self-XSS in OpenC3 COSMOS Command Sender UI prior to version 7.0.0 allows authenticated users to execute arbitrary JavaS
Same weakness CWE-620 – Unverified Password Change
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27057
GHSA-wgx6-g857-jjf7