Vulnerability in OpenC3 COSMOS Allows Unauthorized Administrative Actions
CVE-2026-42088

9.6CRITICAL

Key Information:

Vendor

Openc3

Status
Cosmos
Vendor
CVE Published:
4 May 2026

What is CVE-2026-42088?

The OpenC3 COSMOS application, which facilitates command execution and data exchange with embedded systems, contains a vulnerability in the Script Runner widget prior to version 7.0.0-rc3. This issue allows users with script execution permissions to run malicious Python and Ruby scripts within the openc3-COSMOS-script-runner-api container. Due to the shared Docker network, these scripts can bypass API permission checks, granting unauthorized access to sensitive operations typically restricted to Admin Console users. Consequently, this could lead to unauthorized data manipulation within the Redis database, including retrieving confidential secrets and altering COSMOS configurations. Affected users should upgrade to version 7.0.0-rc3 to mitigate these risks.

Affected Version(s)

cosmos < 7.0.0-rc3

References

https://github.com/OpenC3/cosmos/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0
x_refsource_MISC
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.