CVE-2026-42084

EUVD-2026-27057

04.05.2026, 18:16

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 7%

Affected Products (NVD)

Vendor	Product	Version
openc3	cosmos	𝑥 < 6.10.5
openc3	cosmos	7.0.0:rc1
openc3	cosmos	7.0.0:rc2

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-620 - Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

References

https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776

https://github.com/OpenC3/cosmos/releases/tag/v6.10.5

https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3

https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7