CVE Catalog

CVE-2026-42088

Critical
Published: Translated: NVD NIST

Summary

OpenC3 COSMOS prior to version 7.0.0-rc3 allows users to execute Python and Ruby scripts from the openc3-COSMOS-script-runner-api container. This enables bypassing API permissions checks and performing administrative actions, including modifying data in the Redis database.

Risk Assessment

The organization may be exposed to unauthorized access to data and the ability to modify COSMOS settings by users who have permission to create and run scripts.

Recommendation

It is recommended to upgrade to version 7.0.0-rc3 to mitigate this vulnerability and to restrict script creation and execution permissions to trusted users only.

Original NVD description (English source)

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS