Perceptive Security
SOC/SIEM Consultancy
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, …
Published:
3 mei 2026 om 22:00:00
Alert date:
4 mei 2026 om 19:04:04
Source:
nvd.nist.gov
Identity & Access, Enterprise Applications
OpenC3 COSMOS contains a vulnerability in its password change functionality that allows users to change passwords without providing the old password, accepting only a valid session token. This flaw can be exploited by attackers who have obtained a valid session token to maintain persistence in hijacked accounts, including admin accounts, and prevent legitimate users from accessing their accounts. The vulnerability affects versions prior to 6.10.5 and 7.0.0-rc3, and has been patched in these versions.
Technical details
Mitigation steps:
Affected products:
OpenC3 COSMOS
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-42084
https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776
https://github.com/OpenC3/cosmos/releases/tag/v6.10.5
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.