CVE-2026-42084 - Vulnerability Details

Description

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.

Published: 2026-05-04

Score: 8.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows a user to change their password without providing the current password when a valid session token is supplied. This means an attacker who has previously obtained a session token can reset any user’s password and maintain access to the account, including administrator accounts, thereby achieving persistence and preventing legitimate users from accessing the account. The weakness lies in improper authentication validation, identified as CWE‑620.

Affected Systems

OpenC3 COSMOS v6.x releases prior to 6.10.5 and v7.x releases prior to 7.0.0‑rc3 are affected. The issue is resolved in version 6.10.5 and 7.0.0‑rc3 and later.

Risk and Exploitability

With a CVSS score of 8.1 the vulnerability is rated high, and while the EPSS score is unavailable, the absence from the CISA KEV list suggests it has not yet been widely exploited. Attackers require a valid session token, which can be obtained through session hijacking or other credential theft methods. The exploitation path is therefore restricted to users who have already been authenticated or whose session has been compromised. Despite this limitation the impact of gaining unrestricted account access is significant and warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenC3

cosmos

affected

Version	Status	Constraints
`< 6.10.5`	affected	—
`>= 7.0.0.pre.rc1, < 7.0.0-rc3`	affected	—

No data.

Vendor Product Confidence Versions

Openc3

Cosmos

95%

Version	Status	Scheme	Platform
`[0,6.10.5)`	affected	semver	—
`[7.0.0.pre.rc1,7.0.0-rc3)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenC3 COSMOS to version 6.10.5 or later, or to 7.0.0‑rc3 or newer where the issue is fixed.
Restrict the password reset functionality to require the current password even when a session token is present, ensuring that only an authenticated user can perform a reset.
Audit and monitor password change logs for unexpected resets and investigate any anomalies promptly.

Generated by OpenCVE AI on May 4, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776
https://github.com/OpenC3/cosmos/releases/tag/v6.10.5
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7

History

Mon, 04 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openc3 Openc3 cosmos
Vendors & Products		Openc3 Openc3 cosmos

Mon, 04 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.
Title		OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence
Weaknesses		CWE-620
References		https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776 https://github.com/OpenC3/cosmos/releases/tag/v6.10.5 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Openc3 Cosmos

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-04T17:11:31.853Z

Updated: 2026-05-04T17:11:31.853Z

Reserved: 2026-04-23T19:17:30.566Z

Link: CVE-2026-42084

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-04T18:16:30.357

Modified: 2026-05-04T18:16:30.357

Link: CVE-2026-42084

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-04T19:43:53Z

Weaknesses

CWE-620

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object