Description

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.

INFO

Published Date :

2026-05-04T17:11:31.853Z

Last Modified :

2026-05-06T13:39:58.104Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-42084 vulnerability.

Vendors Products
Openc3
  • Cosmos
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-42084.

URL Resource
https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776 cve-icon cve-icon
https://github.com/OpenC3/cosmos/releases/tag/v6.10.5 cve-icon cve-icon
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 cve-icon cve-icon
https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact