CVE-2026-42084

High

Published: 04 May 2026

Published

04 May 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0003 7.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the…

old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.

Security SummaryAI

CVE-2026-42084 affects OpenC3 COSMOS, an open-source platform for sending commands to and receiving data from embedded systems. The vulnerability resides in the password change functionality in versions prior to 6.10.5 and 7.0.0-rc3, where users can update their password without providing the current one, relying solely on a valid session token for authentication. This flaw, classified under CWE-620 (Unverified Password Change), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts.

An attacker with low privileges (PR:L) who has already obtained a valid session token—such as through prior account compromise—can exploit this over the network with low complexity and no user interaction. By initiating a password change request, the attacker can reset the password on the hijacked account, including administrative ones, thereby achieving persistence within the compromised session and locking out legitimate users from accessing the account.

The issue has been addressed in OpenC3 COSMOS versions 6.10.5 and 7.0.0-rc3, as detailed in the project's security advisory (GHSA-wgx6-g857-jjf7) and corresponding release notes. Mitigation involves upgrading to these patched versions, with the fixing commit available at https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776.

Details

CWE(s): CWE-620

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

T1531 Account Access Removal Impact

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.

attack.mitre.org →

Why these techniques?

The unverified password change flaw (requiring only a valid session) directly enables adversaries to modify account credentials for persistence on hijacked accounts (T1098 Account Manipulation) and to remove access for legitimate users by resetting passwords (T1531 Account Access Removal).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776
security-advisories@github.com
https://github.com/OpenC3/cosmos/releases/tag/v6.10.5
security-advisories@github.com
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
security-advisories@github.com
https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7
security-advisories@github.com