CVE-2026-42084 (GCVE-0-2026-42084)
Vulnerability from cvelistv5 – Published: 2026-05-04 17:11 – Updated: 2026-05-06 13:39
VLAI?
Title
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence
Summary
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.
Severity ?
8.1 (High)
CWE
- CWE-620 - Unverified Password Change
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42084",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T13:39:31.426814Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T13:39:58.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cosmos",
"vendor": "OpenC3",
"versions": [
{
"status": "affected",
"version": "\u003c 6.10.5"
},
{
"status": "affected",
"version": "\u003e= 7.0.0.pre.rc1, \u003c 7.0.0-rc3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "CWE-620: Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:11:31.853Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7"
},
{
"name": "https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776"
},
{
"name": "https://github.com/OpenC3/cosmos/releases/tag/v6.10.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenC3/cosmos/releases/tag/v6.10.5"
},
{
"name": "https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3"
}
],
"source": {
"advisory": "GHSA-wgx6-g857-jjf7",
"discovery": "UNKNOWN"
},
"title": "OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42084",
"datePublished": "2026-05-04T17:11:31.853Z",
"dateReserved": "2026-04-23T19:17:30.566Z",
"dateUpdated": "2026-05-06T13:39:58.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-42084",
"date": "2026-05-06",
"epss": "0.00028",
"percentile": "0.07824"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-42084\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-04T18:16:30.357\",\"lastModified\":\"2026-05-06T15:16:11.120\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-620\"}]}],\"references\":[{\"url\":\"https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/OpenC3/cosmos/releases/tag/v6.10.5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42084\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-06T13:39:31.426814Z\"}}}], \"references\": [{\"url\": \"https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-06T13:39:49.539Z\"}}], \"cna\": {\"title\": \"OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence\", \"source\": {\"advisory\": \"GHSA-wgx6-g857-jjf7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"OpenC3\", \"product\": \"cosmos\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.10.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 7.0.0.pre.rc1, \u003c 7.0.0-rc3\"}]}], \"references\": [{\"url\": \"https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7\", \"name\": \"https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776\", \"name\": \"https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/OpenC3/cosmos/releases/tag/v6.10.5\", \"name\": \"https://github.com/OpenC3/cosmos/releases/tag/v6.10.5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3\", \"name\": \"https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-620\", \"description\": \"CWE-620: Unverified Password Change\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-04T17:11:31.853Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-42084\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-06T13:39:58.104Z\", \"dateReserved\": \"2026-04-23T19:17:30.566Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-04T17:11:31.853Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-42084
Vulnerability from fkie_nvd - Published: 2026-05-04 18:16 - Updated: 2026-05-06 15:16
Severity ?
Summary
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3."
}
],
"id": "CVE-2026-42084",
"lastModified": "2026-05-06T15:16:11.120",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-04T18:16:30.357",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/OpenC3/cosmos/releases/tag/v6.10.5"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Received",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-620"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-WGX6-G857-JJF7
Vulnerability from github – Published: 2026-04-22 22:13 – Updated: 2026-05-04 20:08
VLAI?
Summary
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence
Details
Summary
The OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account.
Details
The design flaw in authentication model (authentication.rb) allows for interchangeable use of password and session tokens for user authentication As old tokens are not revoked upon password reset, an attacker who has obtained a valid session token can continue to authenticate and change the account’s password even after the victim resets it, thereby maintaining persistent control over the compromised account.
PoC
- Attacker is logged in user account with hijacked valid session token, but not knowing the actual password
- Legitimate user, as preventive action, changes his password (password123) using old password (password), that he knows, then establishes new session
- Attacker issues another password change request (in web proxy like Burp) supplying his still valid token as old_password, changing it to attacker-password, from this point preventing any other legitimate users from accessing account
Impact
Persistence of an attacker who obtained valid session token and preventing legitimate users from account access
Severity ?
8.1 (High)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "openc3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.10.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "openc3"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0.pre.rc1"
},
{
"fixed": "7.0.0-rc3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42084"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T22:13:10Z",
"nvd_published_at": "2026-05-04T18:16:30Z",
"severity": "HIGH"
},
"details": "### Summary\nThe OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account.\n\n### Details\nThe design flaw in authentication model ([authentication.rb](https://github.com/OpenC3/cosmos/blob/397abec0d57972881a2e8dc10902d0dce9c27f42/openc3/lib/openc3/utilities/authentication.rb)) allows for interchangeable use of password and session tokens for user authentication As old tokens are not revoked upon password reset, an attacker who has obtained a valid session token can continue to authenticate and change the account\u2019s password even after the victim resets it, thereby maintaining persistent control over the compromised account.\n\n### PoC\n1. Attacker is logged in user account with hijacked valid session token, but not knowing the actual password\n2. Legitimate user, as preventive action, changes his password (_password123_) using old password (_password_), that he knows, then establishes new session\n3. Attacker issues another password change request (in web proxy like Burp) supplying his still valid token as _old_password_, changing it to attacker-password, from this point preventing any other legitimate users from accessing account\n\u003cimg width=\"912\" height=\"479\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d27b5980-0326-40f8-bb39-657d7b1c95a0\" /\u003e\n\u003cimg width=\"923\" height=\"423\" alt=\"image\" src=\"https://github.com/user-attachments/assets/060d9fe1-637e-4a2d-9142-76612984ea28\" /\u003e\n\n### Impact\nPersistence of an attacker who obtained valid session token and preventing legitimate users from account access",
"id": "GHSA-wgx6-g857-jjf7",
"modified": "2026-05-04T20:08:46Z",
"published": "2026-04-22T22:13:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42084"
},
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenC3/cosmos"
},
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/releases/tag/v6.10.5"
},
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…