CVE-2026-42084
Last modified
CVE-2026-42084 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. EPSS estimates a 0.30% chance of exploitation in the next 30 days.
Description
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Openc3 | Cosmos | < 6.10.5 | — |
| Openc3 | Cosmos | 7.0.0 | Rc1 |
References
- https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7Exploit, Vendor Advisory
- https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7Exploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-42084?
How severe is CVE-2026-42084?
How do I fix CVE-2026-42084?
Are you affected by CVE-2026-42084?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST