CVE-2026-42084

HIGH EPSS 22.1%
Published May 4, 20261mo ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published May 4, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.

CVSS Details

Base Score
8.1
Exploitability
2.8
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
22.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-620

Affected Products 3

VendorProductVersionRange
openc3cosmos* <6.10.5
openc3cosmos7.0.0any
openc3cosmos7.0.0any

References 4

  • github.com https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776
    Patch
  • github.com https://github.com/OpenC3/cosmos/releases/tag/v6.10.5
    Release Notes
  • github.com https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
    Release Notes
  • github.com https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776
    Patch