CVE-2026-42087 - Vulnerability Details

Description

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version 7.0.0-rc3, a SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The tsdb_lookup function in the cvt_model.rb file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data. This issue has been patched in version 7.0.0-rc3.

Published: 2026-05-04

Score: 9.6 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The tsdb_lookup function in the cvt_model.rb file fails to sanitize user input before embedding it directly into a SQL query. This defect permits an attacker to insert arbitrary SQL, enabling execution of commands such as dropping or deleting tables and manipulating stored data. As a result, the vulnerability can compromise data integrity and confidentiality within the COSMOS time-series database, classified as CWE‑89.

Affected Systems

The flaw affects OpenC3 COSMOS versions starting from 6.7.0 up to, but not including, 7.0.0‑rc3. These releases provide the Time‑Series Database component that contains the vulnerable tsdb_lookup helper. The issue was addressed in the 7.0.0‑rc3 release; deploying this patch or any newer version resolves the injection risk.

Risk and Exploitability

The CVSS score of 9.6 indicates a high‑severity flaw, and although a current EPSS value is unavailable, the absence of a KEV listing suggests no publicly known exploit yet. The likely attack vector is remote, relying on an attacker’s ability to send crafted requests to the TSDB service; authentication requirements are unclear, so the vulnerability may be exploitable without elevated privileges. Given the severity and potential for data loss, users should treat this as a critical issue warranting immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenC3

cosmos

affected

Version	Status	Constraints
`>= 6.7.0, < 7.0.0-rc3`	affected	—

No data.

Vendor Product Confidence Versions

Openc3

Cosmos

100%

Version	Status	Scheme	Platform
`[6.7.0,7.0.0-rc3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenC3 COSMOS to version 7.0.0‑rc3 or newer, which contains the fixed tsdb_lookup implementation.
If an upgrade cannot be performed immediately, restrict network access to the TSDB API endpoint to trusted hosts or networks, preventing unauthenticated exploitation.
As a temporary workaround, disable or remove the tsdb_lookup functionality until the patch is applied, or replace it with a version that properly sanitizes input according to best practices for SQL injection prevention.

Generated by OpenCVE AI on May 4, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/OpenC3/cosmos/commit/9ba60c09c8836a37a2e4ea67ab35fe403e041415
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5

History

Mon, 04 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openc3 Openc3 cosmos
Vendors & Products		Openc3 Openc3 cosmos

Mon, 04 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version 7.0.0-rc3, a SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The tsdb_lookup function in the cvt_model.rb file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data. This issue has been patched in version 7.0.0-rc3.
Title		OpenC3 COSMOS: SQL Injection in QuestDB Time-Series Data Base
Weaknesses		CWE-89
References		https://github.com/OpenC3/cosmos/commit/9ba60c09c8836a37a2e4ea67ab35fe403e041415 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}`

Subscriptions

Openc3 Cosmos

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-04T17:18:02.965Z

Updated: 2026-05-04T17:18:02.965Z

Reserved: 2026-04-23T19:17:30.566Z

Link: CVE-2026-42087

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-04T18:16:30.830

Modified: 2026-05-04T18:16:30.830

Link: CVE-2026-42087

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-04T19:00:07Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object