CVE-2026-42084— OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42084
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence
Source: NVD (National Vulnerability Database)
Vulnerability Description
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
未经验证的口令修改
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-42084
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42084
Please Login to view more intelligence information
- Release v6.10.5 · OpenC3/cosmos · GitHubx_refsource_MISC
- Release v7.0.0-rc3 · OpenC3/cosmos · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-42084
Same Patch Batch · OpenC3 · 2026-05-04 · 5 CVEs total
| CVE-2026-42087 | 9.6 CRITICAL | OpenC3 COSMOS: SQL Injection in QuestDB Time-Series Data Base |
| CVE-2026-42088 | 9.6 CRITICAL | OpenC3 COSMOS: Administrative Actions via the Script Runner Tool |
| CVE-2026-42086 | 4.6 MEDIUM | OpenC3 COSMOS: Self-XSS in the Command Sender |
| CVE-2026-42085 | 4.3 MEDIUM | OpenC3 COSMOS: Arbitrary write to plugins directory via path-traversed config filenames |
IV. Related Vulnerabilities
Same product: cosmos
- CVE-2026-42088
OpenC3 COSMOS: Administrative Actions via the Script Runner - CVE-2026-42087
OpenC3 COSMOS: SQL Injection in QuestDB Time-Series Data Bas - CVE-2026-42086
OpenC3 COSMOS: Self-XSS in the Command Sender - CVE-2026-42085
OpenC3 COSMOS: Arbitrary write to plugins directory via path - CVE-2025-68271
Unauthenticated Remote Code Execution in openc3-api
Same vendor: OpenC3
- CVE-2026-42088
OpenC3 COSMOS: Administrative Actions via the Script Runner - CVE-2026-42087
OpenC3 COSMOS: SQL Injection in QuestDB Time-Series Data Bas - CVE-2026-42086
OpenC3 COSMOS: Self-XSS in the Command Sender - CVE-2026-42085
OpenC3 COSMOS: Arbitrary write to plugins directory via path - CVE-2025-68271
Unauthenticated Remote Code Execution in openc3-api
Same weakness: CWE-620
- CVE-2026-40588
blueprintUE: Authenticated Password Change Does Not Verify C - CVE-2019-25653
Navicat for Oracle 12.1.15 Password Field Denial of Service - CVE-2026-27757
SODOLA SL902-SWTGW124AS <= 200.1.20 Unverified Password Chan - CVE-2026-24443
EventSentry < 6.0.1.20 Web Reports Unverified Password Chang - CVE-2026-2543
vichan-devel vichan Password Change pages.php unverified pas
V. Comments for CVE-2026-42084
No comments yet