What is the CVSS score of CVE-2026-42084?

CVE-2026-42084 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of OpenC3 COSMOS are affected by CVE-2026-42084?

OpenC3 COSMOS versions prior to 6.10.5 and 7.0.0-rc3 contain a critical authentication bypass in password change functionality that allows attackers with valid session tokens to hijack administrator…. A patch is available.

OpenC3 COSMOS CVE-2026-42084

EUVD-2026-27057 HIGH

Unverified Password Change (CWE-620)

2026-05-04 GitHub_M

GHSA-wgx6-g857-jjf7

Information Disclosure

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

May 04, 2026 - 19:17 EUVD

Source Code Evidence Fetched

May 04, 2026 - 18:00 vuln.today

Analysis Generated

May 04, 2026 - 18:00 vuln.today

Analysis Generated

May 04, 2026 - 17:45 vuln.today

CVE Published

May 04, 2026 - 17:11 nvd

HIGH 8.1

DescriptionNVD

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.

AnalysisAI

OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attackers with hijacked tokens to lock out legitimate users and maintain persistent access to compromised accounts including administrator accounts. Publicly available exploit code demonstrates the attack chain. …

RemediationAI

Within 24 hours: Inventory all OpenC3 COSMOS deployments and document current versions; restrict administrative access and review recent session token logs for anomalies. Within 7 days: Upgrade all instances to version 6.10.5 (for v6.x branch) or version 7.0.0-rc3 or later (for v7.x branch); validate successful patch deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42084 vulnerability details – vuln.today

Back