CVE-2026-42084 HIGH

CVE-2026-42084: OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence

Vendor Openc3
Product cosmos
Weakness CWE-620 · Unverified password change
Published May 4, 2026
Last update May 6, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.

Key dates

02Disclosure timeline

May 4, 2026 CVE published
May 6, 2026 Record updated