Skip to main content

OpenC3 COSMOS CVE-2026-42084

| EUVDEUVD-2026-27057 HIGH
Unverified Password Change (CWE-620)
2026-05-04 GitHub_M GHSA-wgx6-g857-jjf7
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Patch available
May 04, 2026 - 19:17 EUVD
Source Code Evidence Fetched
May 04, 2026 - 18:00 vuln.today
Analysis Generated
May 04, 2026 - 18:00 vuln.today
Analysis Generated
May 04, 2026 - 17:45 vuln.today
CVE Published
May 04, 2026 - 17:11 nvd
HIGH 8.1

DescriptionGitHub Advisory

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.

AnalysisAI

OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attackers with hijacked tokens to lock out legitimate users and maintain persistent access to compromised accounts including administrator accounts. Publicly available exploit code demonstrates the attack chain. All versions prior to 6.10.5 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The vendor has released patched versions 6.10.5 and 7.0.0-rc3 that enforce password-only verification during password change operations.

Technical ContextAI

OpenC3 COSMOS is a command-and-control system for embedded systems and spacecraft operations. The vulnerability exists in the authentication model (authentication.rb and auth_model.rb) where the verify_no_service() function accepted both passwords and session tokens interchangeably for user authentication verification. This design flaw stems from CWE-620 (Unverified Password Change), where the password change endpoint failed to distinguish between credential types. The authentication controller called verify_no_service with no_password:false, allowing tokens to pass password verification checks. The fix introduces a mode parameter (:password, :token, :any) to explicitly enforce password-only verification during password reset operations, preventing session tokens from being accepted when old_password validation is required. The authentication model caches both session tokens (SESSIONS_KEY Redis hash) and password hashes (PRIMARY_KEY using Argon2) with separate TTLs, and the original implementation checked both stores without distinguishing the authentication context.

RemediationAI

Upgrade to OpenC3 COSMOS version 6.10.5 (for 6.x stable deployments) or version 7.0.0-rc3 (for 7.0 release candidate deployments) per vendor releases at https://github.com/OpenC3/cosmos/releases/tag/v6.10.5 and https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3. The fix is implemented in commit 2e623714e3426d5ae81b6f8239d4a2a6937ef776, which modifies authentication.rb and auth_model.rb to enforce password-only verification during password change operations via a new mode parameter. If immediate patching is not feasible, implement compensating controls: (1) Force re-authentication with password (not just session validity) before allowing administrative actions including password changes, achievable through custom middleware or reverse proxy logic but requires code modification; (2) Implement aggressive session token rotation with maximum 15-minute TTLs and revoke all sessions on password change via Redis SESSIONS_KEY flush, reducing attacker persistence window but degrades user experience with frequent re-logins; (3) Enable comprehensive audit logging of all password change events with session token fingerprints (IP, user-agent) and alert on password changes from anomalous sources, providing detection but not prevention; (4) Restrict COSMOS access to trusted networks via firewall rules or VPN-only access, reducing session token theft vectors but impedes operational flexibility for remote operators. Note that these compensating controls require custom development effort and do not address the root cause - patching is the definitive solution.

More in Cosmos

View all
CVE-2025-28386 CRITICAL POC
9.8 Jun 13

Critical remote code execution vulnerability in OpenC3 COSMOS v6.0.0's Plugin Management component that allows unauthent

CVE-2025-28388 CRITICAL POC
9.8 Jun 13

OpenC3 COSMOS versions before v6.0.2 contain hardcoded credentials embedded in the Service Account, allowing unauthentic

CVE-2025-28389 CRITICAL POC
9.8 Jun 13

Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable br

CVE-2025-28384 CRITICAL POC
9.1 Jun 13

Critical directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 affecting the /script-api/scripts/ end

CVE-2025-28382 HIGH POC
7.5 Jun 13

Directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 that allows unauthenticated remote attackers to

CVE-2025-28381 HIGH POC
7.5 Jun 13

A security vulnerability in OpenC3 COSMOS (CVSS 7.5) that allows attackers. Risk factors: public PoC available.

CVE-2025-28380 MEDIUM POC
6.1 Jun 13

A cross-site scripting (XSS) vulnerability in OpenC3 COSMOS before v6.0.2 allows attackers to execute arbitrary web scri

CVE-2026-42087 CRITICAL
9.6 May 04

SQL injection in OpenC3 COSMOS 6.7.0 to 7.0.0-rc2 allows authenticated users with minimal 'tlm' (telemetry viewer) privi

CVE-2024-47529 MEDIUM POC
4.8 Oct 02

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.

CVE-2024-46977 MEDIUM
5.3 Oct 02

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.

CVE-2024-43795 MEDIUM
5.1 Oct 02

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.

CVE-2026-42086 MEDIUM
4.6 May 04

Self-XSS in OpenC3 COSMOS Command Sender UI prior to version 7.0.0 allows authenticated users to execute arbitrary JavaS

Share

CVE-2026-42084 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy