Skip to main content

OpenC3 COSMOS CVE-2026-42087

| EUVDEUVD-2026-27063 CRITICAL
SQL Injection (CWE-89)
2026-05-04 GitHub_M GHSA-v529-vhwc-wfc5
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Patch available
May 04, 2026 - 19:17 EUVD
Source Code Evidence Fetched
May 04, 2026 - 18:01 vuln.today
Analysis Generated
May 04, 2026 - 18:01 vuln.today
Analysis Generated
May 04, 2026 - 17:45 vuln.today
CVE Published
May 04, 2026 - 17:18 nvd
CRITICAL 9.6

DescriptionGitHub Advisory

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version 7.0.0-rc3, a SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The tsdb_lookup function in the cvt_model.rb file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data. This issue has been patched in version 7.0.0-rc3.

AnalysisAI

SQL injection in OpenC3 COSMOS 6.7.0 to 7.0.0-rc2 allows authenticated users with minimal 'tlm' (telemetry viewer) privileges to execute arbitrary SQL commands against the QuestDB time-series database. Attackers can exfiltrate all telemetry data, drop tables, or manipulate historical records via the get_tlm_values RPC endpoint by injecting malicious SQL into the start_time parameter. Vendor-released patch available in version 7.0.0-rc3 (commit 9ba60c0). No active exploitation confirmed (not in CISA KEV), but GitHub advisory includes working proof-of-concept payloads demonstrating both data extraction and table deletion.

Technical ContextAI

The vulnerability resides in the tsdb_lookup function within cvt_model.rb (Ruby) and cvt_model.py (Python), which construct SQL queries for QuestDB (a time-series database optimized for telemetry storage) by directly concatenating user-supplied start_time and end_time parameters into WHERE clauses. The affected code performs string interpolation (e.g., WHERE T0.PACKET_TIMESECONDS < '#{start_time}') rather than parameterized queries, violating CWE-89 SQL injection prevention guidance. QuestDB supports PostgreSQL wire protocol, making it susceptible to classic SQL injection techniques including UNION-based data extraction and DDL statement execution (DROP TABLE). The get_tlm_values endpoint exposes this function to any authenticated user with 'tlm' permission (granted to Admin, Operator, Viewer, and Runner roles by default), significantly expanding the attack surface beyond privileged administrators. The patch (commit 9ba60c0) replaces string concatenation with parameterized queries using exec_params (Ruby) and cursor.execute with placeholder parameters (Python), binding user input as query parameters rather than embedding it in the SQL string.

RemediationAI

Upgrade to OpenC3 COSMOS version 7.0.0-rc3 or later, which replaces string interpolation with parameterized queries (commit 9ba60c09c8836a37a2e4ea67ab35fe403e041415). Release available at https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Restrict 'tlm' permission to only trusted users-audit role assignments in COSMOS configuration to remove Viewer/Runner roles from untrusted accounts, though this breaks read-only telemetry access workflows. (2) Deploy web application firewall (WAF) rules to block SQL metacharacters (single quotes, semicolons, UNION keywords) in start_time/end_time parameters of /openc3-api/api requests to get_tlm_values endpoint, though sophisticated attackers may bypass signature-based filters using encoding. (3) Enable QuestDB query logging and monitor for abnormal queries containing DROP, ALTER, or UNION statements originating from COSMOS application user, though this provides detection rather than prevention. (4) Network segmentation: isolate COSMOS instances on non-routable networks accessible only via VPN with multi-factor authentication, reducing attack surface but not eliminating insider threat risk. No compensating control fully mitigates the vulnerability-patching remains the definitive solution.

More in Cosmos

View all
CVE-2025-28386 CRITICAL POC
9.8 Jun 13

Critical remote code execution vulnerability in OpenC3 COSMOS v6.0.0's Plugin Management component that allows unauthent

CVE-2025-28388 CRITICAL POC
9.8 Jun 13

OpenC3 COSMOS versions before v6.0.2 contain hardcoded credentials embedded in the Service Account, allowing unauthentic

CVE-2025-28389 CRITICAL POC
9.8 Jun 13

Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable br

CVE-2025-28384 CRITICAL POC
9.1 Jun 13

Critical directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 affecting the /script-api/scripts/ end

CVE-2025-28382 HIGH POC
7.5 Jun 13

Directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 that allows unauthenticated remote attackers to

CVE-2025-28381 HIGH POC
7.5 Jun 13

A security vulnerability in OpenC3 COSMOS (CVSS 7.5) that allows attackers. Risk factors: public PoC available.

CVE-2025-28380 MEDIUM POC
6.1 Jun 13

A cross-site scripting (XSS) vulnerability in OpenC3 COSMOS before v6.0.2 allows attackers to execute arbitrary web scri

CVE-2024-47529 MEDIUM POC
4.8 Oct 02

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.

CVE-2026-42084 HIGH
8.1 May 04

OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attacker

CVE-2024-46977 MEDIUM
5.3 Oct 02

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.

CVE-2024-43795 MEDIUM
5.1 Oct 02

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.

CVE-2026-42086 MEDIUM
4.6 May 04

Self-XSS in OpenC3 COSMOS Command Sender UI prior to version 7.0.0 allows authenticated users to execute arbitrary JavaS

Share

CVE-2026-42087 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy