CVE-2026-42084 Overview
OpenC3 COSMOS is an open-source command and control platform used to send commands and receive telemetry from embedded systems. CVE-2026-42084 affects the password change functionality in versions prior to 6.10.5 and 7.0.0-rc3. The flaw allows a user to change their password without supplying the current password, because the endpoint accepts a valid session token as authorization. An attacker who already holds a valid session token can rotate the account password, achieve persistent control of the account, and lock out the legitimate user. The issue is classified under CWE-620: Unverified Password Change.
Critical Impact
An attacker with a stolen session token, including one belonging to an administrator, can permanently hijack the account by resetting its password without knowing the original credentials.
Affected Products
- OpenC3 COSMOS versions prior to 6.10.5
- OpenC3 COSMOS 7.x versions prior to 7.0.0-rc3
- Deployments using OpenC3::AuthModel for session and password verification
Discovery Timeline
- 2026-05-04 - CVE-2026-42084 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-42084
Vulnerability Analysis
The vulnerability resides in the password change workflow exposed by openc3-cosmos-cmd-tlm-api/app/controllers/auth_controller.rb. When a user requested a password update, the controller invoked OpenC3::AuthModel.verify_no_service with no_password: false. That mode accepted either the current password or any valid session token as proof of identity. An attacker who obtained a session token through phishing, browser compromise, log exposure, or token theft could submit it as the "current password" parameter and successfully change the account password.
The behavior breaks the security boundary between authentication and re-authentication. Standard password change flows require knowledge of the existing password to defend against session hijacking and assumed-breach scenarios. By accepting a session token, COSMOS allowed token-only persistence on the account, including for administrative users with full command authority over connected embedded systems.
Root Cause
The root cause is a mode-selection flaw in OpenC3::AuthModel.verify_no_service. The function used a single boolean (no_password) that conflated two distinct verification policies. When invoked from the password change handler, it permitted token-based verification where password-only verification was required. The patch replaces the boolean with an explicit mode parameter accepting :password, :token, or :any, and the password change endpoint now uses mode: :password.
Attack Vector
Exploitation requires network access to the COSMOS API and a valid session token for the targeted account. The attacker submits a password change request, supplying the captured session token in place of the current password. The server validates the token, accepts the new password, and persists it. The legitimate user is then unable to authenticate, while the attacker retains long-term access.
# Vulnerable call site in auth_controller.rb (before patch)
if OpenC3::AuthModel.verify_no_service(params[:password], no_password: false)
render :plain => OpenC3::AuthModel.generate_session()
else
record_user_bad_attempt
end
# Patched call site (after fix) - enforces password-only verification
if OpenC3::AuthModel.verify_no_service(params[:password], mode: :password)
render :plain => OpenC3::AuthModel.generate_session()
else
record_user_bad_attempt
end
Source: OpenC3 COSMOS commit 2e62371
Detection Methods for CVE-2026-42084
Indicators of Compromise
- Password change events on COSMOS accounts not preceded by a corresponding interactive password entry from the user.
- Successful authentication followed shortly by a password update from the same session token, particularly for administrative accounts.
- Repeated failed logins from a legitimate user after a successful password change initiated from an unfamiliar IP address.
Detection Strategies
- Audit auth_controller request logs for POST calls to the password change endpoint and correlate with the source session token age and origin.
- Compare the IP address and user agent of the password change request to recent baseline activity for the affected account.
- Alert on any password change for administrative or service accounts in COSMOS deployments running versions earlier than 6.10.5 or 7.0.0-rc3.
Monitoring Recommendations
- Forward COSMOS application logs to a centralized log platform and build queries for password change events tied to session-token-only authentication.
- Monitor for lockout patterns where a legitimate user repeatedly fails login immediately after a successful password reset.
- Track session token issuance and reuse, flagging tokens used from multiple geolocations within short time windows.
How to Mitigate CVE-2026-42084
Immediate Actions Required
- Upgrade OpenC3 COSMOS to version 6.10.5 or 7.0.0-rc3 or later without delay.
- Force a password reset for all COSMOS users, prioritizing administrative accounts, after upgrading.
- Invalidate all active session tokens to evict any attacker who may already have established persistence.
- Review recent password change events in audit logs for anomalies and revert any unauthorized changes.
Patch Information
The maintainers fixed the issue in OpenC3 COSMOS v6.10.5 and OpenC3 COSMOS v7.0.0-rc3. The change replaces the no_password boolean in OpenC3::AuthModel.verify_no_service with an explicit mode parameter and updates the password change controller to require mode: :password. Full details are available in the GitHub Security Advisory GHSA-wgx6-g857-jjf7.
Workarounds
- If immediate upgrade is not possible, restrict network access to the COSMOS API to trusted management subnets only.
- Shorten session token lifetimes and require re-authentication for sensitive operations such as password changes.
- Rotate all user credentials and session secrets, and audit administrative accounts for unexpected modifications.
# Upgrade OpenC3 COSMOS to a patched release
git fetch --tags
git checkout v6.10.5 # or v7.0.0-rc3 for the 7.x release line
# Rebuild and restart the COSMOS containers
./openc3.sh stop
./openc3.sh build
./openc3.sh start
# After upgrade, force password rotation for all users via the admin console
# and invalidate existing session tokens by restarting the auth services.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
