Skip to main content

OpenC3 COSMOS CVE-2026-42085

| EUVDEUVD-2026-27059 MEDIUM
Relative Path Traversal (CWE-23)
2026-05-04 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
Patch available
May 04, 2026 - 19:17 EUVD
Source Code Evidence Fetched
May 04, 2026 - 18:00 vuln.today
Analysis Generated
May 04, 2026 - 18:00 vuln.today
Analysis Generated
May 04, 2026 - 17:45 vuln.today
CVE Published
May 04, 2026 - 17:13 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, OpenC3 COSMOS contains a design flaw in the save_tool_config() function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared /plugins directory. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.

AnalysisAI

OpenC3 COSMOS before versions 6.10.5 and 7.0.0-rc3 allows authenticated users to write arbitrary files to the shared /plugins directory via path traversal sequences in tool configuration filenames, potentially overwriting other plugins' configuration files. The vulnerability exists in the save_tool_config() function which canonicalizes filenames but does not restrict writes to plugin-specific subdirectories, enabling lateral movement between plugins. CVSS 4.3 reflects low severity due to authentication requirement and limited scope (integrity only), though real-world impact depends on whether plugin configurations contain sensitive data.

Technical ContextAI

OpenC3 COSMOS is an embedded systems command and telemetry framework written in Ruby/Python that manages tool configurations across a shared plugin directory structure. The vulnerability lies in the save_tool_config() function in local_mode.rb, which accepts user-supplied configuration filenames from the web UI and saves them within OPENC3_LOCAL_MODE_PATH. Although the implementation uses path canonicalization to prevent standard '..' escapes to arbitrary system locations, the shared /plugins root directory is accessible to all plugins. The CWE-23 classification (Relative Path Traversal) applies because the function validates against absolute path traversal but fails to enforce per-plugin directory boundaries. The fix adds regex validation (/[/\]|\.\./) to both the Vue.js frontend SaveConfigDialog component and backend Ruby/Python ToolConfigModel classes, rejecting any configuration or tool names containing path separators or '..' sequences.

RemediationAI

Upgrade to OpenC3 COSMOS 6.10.5 or 7.0.0-rc3 or later immediately. The patches add regex-based input validation to reject tool and configuration names containing forward slashes, backslashes, or '..' sequences at both frontend (Vue.js SaveConfigDialog) and backend (Ruby ToolConfigModel and Python ToolConfigModel) layers. No workarounds are available without code modification. If immediate patching is not possible, disable tool configuration save functionality in the COSMOS web UI or restrict access to the COSMOS interface to trusted operators only via network firewall rules or reverse proxy authentication. Verify the fix by checking that configuration save attempts with names like '../../evil' or 'sub/config' are rejected with 'Invalid config name' errors. See GitHub commits https://github.com/OpenC3/cosmos/commit/9957a9fa460c0c0cf5cdbf6a5931bbdd025246a5 and https://github.com/OpenC3/cosmos/commit/e6efccbd148ba0e3361c5891027f2373aa140d42 for exact code changes.

More in Cosmos

View all
CVE-2025-28386 CRITICAL POC
9.8 Jun 13

Critical remote code execution vulnerability in OpenC3 COSMOS v6.0.0's Plugin Management component that allows unauthent

CVE-2025-28388 CRITICAL POC
9.8 Jun 13

OpenC3 COSMOS versions before v6.0.2 contain hardcoded credentials embedded in the Service Account, allowing unauthentic

CVE-2025-28389 CRITICAL POC
9.8 Jun 13

Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable br

CVE-2025-28384 CRITICAL POC
9.1 Jun 13

Critical directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 affecting the /script-api/scripts/ end

CVE-2025-28382 HIGH POC
7.5 Jun 13

Directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 that allows unauthenticated remote attackers to

CVE-2025-28381 HIGH POC
7.5 Jun 13

A security vulnerability in OpenC3 COSMOS (CVSS 7.5) that allows attackers. Risk factors: public PoC available.

CVE-2025-28380 MEDIUM POC
6.1 Jun 13

A cross-site scripting (XSS) vulnerability in OpenC3 COSMOS before v6.0.2 allows attackers to execute arbitrary web scri

CVE-2026-42087 CRITICAL
9.6 May 04

SQL injection in OpenC3 COSMOS 6.7.0 to 7.0.0-rc2 allows authenticated users with minimal 'tlm' (telemetry viewer) privi

CVE-2024-47529 MEDIUM POC
4.8 Oct 02

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.

CVE-2026-42084 HIGH
8.1 May 04

OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attacker

CVE-2024-46977 MEDIUM
5.3 Oct 02

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.

CVE-2024-43795 MEDIUM
5.1 Oct 02

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.

Share

CVE-2026-42085 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy