SQL Injection Vulnerability in OpenC3 COSMOS Time-Series Database Component
CVE-2026-42087

9.6CRITICAL

Key Information:

Vendor

Openc3

Status
Cosmos
Vendor
CVE Published:
4 May 2026

What is CVE-2026-42087?

OpenC3 COSMOS, specifically its Time-Series Database component, is susceptible to SQL injection due to improper handling of user input. The tsdb_lookup function in the cvt_model.rb file allows attackers to inject arbitrary SQL commands, potentially enabling unauthorized data manipulation, including deletion. This vulnerability affects versions 6.7.0 to prior to 7.0.0-rc3. Users are strongly advised to upgrade to version 7.0.0-rc3 or later, where this issue has been addressed.

Affected Version(s)

cosmos >= 6.7.0, < 7.0.0-rc3

References

https://github.com/OpenC3/cosmos/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/OpenC3/cosmos/commit/9ba60c09c8836a37a...
x_refsource_MISC
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.