CVE-2026-42088
Published: 04 May 2026
Description
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container.…
more
Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy promotes least privilege by defining necessary privileges and management commitment to them.
Supervision detects and allows removal of unnecessary privileges that enable execution with excess rights.
Reviewing accounts for compliance, disabling/removing unneeded accounts, and aligning with termination processes prevents execution with unnecessary privileges.
Separation of duties prevents any single user from holding all privileges needed to complete a critical task, directly reducing execution with unnecessary privileges.
Directly prevents execution with more privileges than needed for assigned tasks.
Role-based training on least privilege principles reduces the chance personnel assign or retain unnecessary privileges.
Analysis of audit records can identify execution with unnecessary privileges through unusual activity patterns.
Automatic termination after a defined period eliminates unnecessary privileges from persistent connections.
Security SummaryAI
CVE-2026-42088 is a high-severity vulnerability (CVSS 9.6, AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) affecting OpenC3 COSMOS prior to version 7.0.0-rc3. The issue resides in the Script Runner widget within the openc3-COSMOS-script-runner-api Docker container, which enables users to execute Python and Ruby scripts. Due to all Docker containers sharing a network, these scripts can bypass API permissions checks, allowing unauthorized access to other services.
Any authenticated user with permission to create and run scripts can exploit this vulnerability remotely over the network. Successful exploitation grants administrative capabilities normally restricted to the Admin Console, including reading and modifying data in the Redis database to access secrets and alter COSMOS settings, as well as reading and writing to the buckets service containing configuration, log, and plugin files.
The vulnerability has been addressed in OpenC3 COSMOS version 7.0.0-rc3, as detailed in the project's release notes and GitHub Security Advisory GHSA-2wvh-87g2-89hr. Security practitioners should upgrade to the patched version to mitigate the risk, associated with CWE-250 (Execution with Unnecessary Privileges).
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables Python script execution (T1059.006) in shared Docker network to bypass API checks for privilege escalation to admin (T1068), direct access to Redis secrets (T1552), and data from DB/bucket repositories (T1213.006).