CVE-2026-42084
Description
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openc3RubyGems | < 6.10.5 | 6.10.5 |
openc3RubyGems | >= 7.0.0.pre.rc1, < 7.0.0-rc3 | 7.0.0-rc3 |
Affected products
4Patches
Vulnerability mechanics
References
7- github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776nvdPatchWEB
- github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-wgx6-g857-jjf7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42084ghsaADVISORY
- github.com/OpenC3/cosmos/releases/tag/v6.10.5nvdRelease NotesWEB
- github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3nvdRelease NotesWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/openc3/CVE-2026-42084.ymlghsaWEB
News mentions
0No linked articles in our index yet.