CVE-2026-42087 Overview
CVE-2026-42087 is a SQL injection vulnerability in OpenC3 COSMOS, an open-source platform used to send commands to and receive telemetry from embedded systems. The flaw resides in the Time-Series Database (TSDB) component, specifically the tsdb_lookup function in cvt_model.rb. The function concatenates user-supplied input directly into a SQL query without sanitization, allowing an authenticated attacker to break out of the intended statement and execute arbitrary SQL commands. Affected releases span from version 6.7.0 up to but not including 7.0.0-rc3. The maintainers patched the issue in version 7.0.0-rc3 by introducing parameterized queries.
Critical Impact
An authenticated attacker can execute arbitrary SQL against the COSMOS TSDB, including deleting telemetry data and tampering with operational records that drive embedded system command-and-control workflows.
Affected Products
- OpenC3 COSMOS versions 6.7.0 through 6.x
- OpenC3 COSMOS pre-release versions before 7.0.0-rc3
- Deployments using the COSMOS Time-Series Database (TSDB) component
Discovery Timeline
- 2026-05-04 - CVE-2026-42087 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-42087
Vulnerability Analysis
The vulnerability is a classic SQL injection [CWE-89] in the COSMOS TSDB lookup path. The tsdb_lookup function builds a query by interpolating the start_time and end_time parameters directly into a SQL string. Because these values flow into the WHERE T0.PACKET_TIMESECONDS predicate without escaping or type validation, an attacker who controls these parameters can terminate the literal and append arbitrary SQL syntax. The COSMOS TSDB stores telemetry and command history for embedded systems, so successful injection enables data destruction, modification of historical telemetry, and exposure of sensitive operational data.
Root Cause
The root cause is unsafe string interpolation in both the Ruby implementation (openc3/lib/openc3/models/cvt_model.rb) and the Python implementation (openc3/python/openc3/models/cvt_model.py). Each implementation built the time-range filter using inline expressions such as "WHERE T0.PACKET_TIMESECONDS < '#{start_time}'" rather than passing values as bound parameters. The application trusted caller-supplied time values as safe SQL fragments.
Attack Vector
Exploitation requires network access to the COSMOS API and low-privilege authentication. An attacker submits crafted start_time or end_time values that close the SQL string literal and append additional statements such as DELETE, UPDATE, or subqueries. Because the scope is changed (CVSS S:C), the injection can affect TSDB content beyond the immediate query context, impacting other users and integrations that consume the same data store.
# Patch excerpt: openc3/lib/openc3/models/cvt_model.rb
# Replaces inline interpolation with parameterized queries
query += "ASOF JOIN #{table_name} as T#{index} "
end
end
+ query_params = []
if start_time && !end_time
- query += "WHERE T0.PACKET_TIMESECONDS < '#{start_time}' LIMIT -1"
+ query += "WHERE T0.PACKET_TIMESECONDS < $1 LIMIT -1"
+ query_params << start_time
elsif start_time && end_time
- query += "WHERE T0.PACKET_TIMESECONDS >= '#{start_time}' AND T0.PACKET_TIMESECONDS < '#{end_time}'"
+ query += "WHERE T0.PACKET_TIMESECONDS >= $1 AND T0.PACKET_TIMESECONDS < $2"
+ query_params << start_time
+ query_params << end_time
end
Source: GitHub Commit 9ba60c0
# Patch excerpt: openc3/python/openc3/models/cvt_model.py
else:
query += f"ASOF JOIN {table_name} as T{index} "
+ query_params = []
if start_time and not end_time:
- query += f"WHERE T0.PACKET_TIMESECONDS < '{start_time}' LIMIT -1"
+ query += "WHERE T0.PACKET_TIMESECONDS < %s LIMIT -1"
+ query_params.append(start_time)
elif start_time and end_time:
- query += f"WHERE T0.PACKET_TIMESECONDS >= '{start_time}' AND T0.PACKET_TIMESECONDS < '{end_time}'"
+ query += "WHERE T0.PACKET_TIMESECONDS >= %s AND T0.PACKET_TIMESECONDS < %s"
+ query_params.append(start_time)
+ query_params.append(end_time)
Source: GitHub Commit 9ba60c0
Detection Methods for CVE-2026-42087
Indicators of Compromise
- Authenticated COSMOS API requests containing single quotes, semicolons, SQL keywords (UNION, DELETE, DROP, --) in start_time or end_time parameters.
- Unexpected TSDB row deletions or schema-altering operations in COSMOS database audit logs.
- TSDB query errors referencing malformed WHERE T0.PACKET_TIMESECONDS clauses originating from the tsdb_lookup code path.
Detection Strategies
- Inspect web and API gateway logs for non-numeric or quoted values supplied to time-range parameters in COSMOS TSDB endpoints.
- Enable database query logging on the TSDB backend and alert on statements that contain stacked queries or unexpected DELETE/UPDATE verbs.
- Compare current TSDB record counts and checksums against trusted backups to identify unexplained data loss.
Monitoring Recommendations
- Forward COSMOS application logs and TSDB audit logs to a centralized analytics platform for anomaly detection.
- Monitor for spikes in failed TSDB queries, which often precede successful injection attempts during attacker probing.
- Track authenticated user sessions issuing tsdb_lookup calls outside normal operational windows or from unfamiliar source addresses.
How to Mitigate CVE-2026-42087
Immediate Actions Required
- Upgrade all OpenC3 COSMOS deployments to version 7.0.0-rc3 or later, which replaces inline interpolation with parameterized queries.
- Restrict network access to the COSMOS management interface and API to trusted operator networks only.
- Rotate credentials for any COSMOS accounts that could have been used to access the TSDB during the exposure window.
- Validate the integrity of TSDB telemetry against offline backups to confirm no records were deleted or altered.
Patch Information
The maintainers fixed the vulnerability in OpenC3 COSMOS v7.0.0-rc3. The patch is detailed in GitHub Security Advisory GHSA-v529-vhwc-wfc5 and implemented in commit 9ba60c0. Both Ruby and Python implementations of cvt_model now use bound parameters ($1/$2 and %s).
Workarounds
- If immediate upgrade is not possible, disable or block external access to the TSDB lookup endpoints until the patch can be applied.
- Apply strict input validation at a reverse proxy or WAF, rejecting start_time and end_time values that do not match a numeric or ISO-8601 timestamp pattern.
- Limit COSMOS user accounts to the minimum privilege set, and revoke TSDB write access for any role that does not require it.
# Example: enforce numeric-only time parameters at an Nginx reverse proxy
location /cosmos-api/tsdb/ {
if ($arg_start_time !~ "^[0-9.]+$") { return 400; }
if ($arg_end_time !~ "^[0-9.]*$") { return 400; }
proxy_pass http://cosmos_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
