Description
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3.
Published: 2026-05-04
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A defect in the Script Runner widget of OpenC3 COSMOS lets any user that can create and execute scripts bypass the normal API permission checks. By running a carefully crafted Python or Ruby script from the openc3-COSMOS-script-runner-api container, the attacker can perform actions that are normally reserved for administrators, such as reading and modifying the Redis database, accessing and altering files in the buckets service, and changing COSMOS configuration secrets. This represents a failure of authorization enforcement (CWE-250) and enables unauthorized privilege escalation.

Affected Systems

The vulnerability applies to OpenC3 COSMOS deployments that use the script‑runner‑api container and are running any version prior to 7.0.0-rc3. Only users with script‑creation privileges can exploit it, but because all Docker containers share a network, the attacker can reach internal services like Redis and the bucket storage from the compromised script runner.

Risk and Exploitability

With a CVSS score of 9.6 the flaw is considered critical. Although no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the lack of those metrics does not diminish the inherent danger. The attack requires only the ability to run scripts; the malicious script can then communicate over the Docker network to access sensitive services, read secrets, and alter system configuration. The vulnerability is therefore readily exploitable in a typical user environment where script execution is enabled.

Generated by OpenCVE AI on May 4, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenC3 COSMOS to version 7.0.0-rc3 or later, where the script‑runner permissions are corrected.
  • If an upgrade is delayed, immediately revoke or restrict script execution rights for non‑administrative accounts to block potential exploitation.
  • Apply network segmentation so that the script‑runner container is isolated from internal services such as Redis and the bucket service, limiting lateral movement if an attacker obtains script‑execution privileges.

Generated by OpenCVE AI on May 4, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Openc3
Openc3 cosmos
Vendors & Products Openc3
Openc3 cosmos

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3.
Title OpenC3 COSMOS: Administrative Actions via the Script Runner Tool
Weaknesses CWE-250
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Openc3 Cosmos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T19:36:16.686Z

Reserved: 2026-04-23T19:17:30.566Z

Link: CVE-2026-42088

cve-icon Vulnrichment

Updated: 2026-05-04T19:35:56.503Z

cve-icon NVD

Status : Received

Published: 2026-05-04T18:16:31.007

Modified: 2026-05-04T20:16:19.960

Link: CVE-2026-42088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:00:07Z

Weaknesses