CVE-2026-42088 Overview
OpenC3 COSMOS is an open-source platform for sending commands to and receiving telemetry from embedded systems. CVE-2026-42088 affects versions prior to 7.0.0-rc3, where the Script Runner widget executes Python and Ruby scripts inside the openc3-COSMOS-script-runner-api container. Because all COSMOS Docker containers share a single network, any user permitted to run scripts can reach internal services directly. This bypasses API permission checks and grants administrative access to Redis, the buckets service, and other backend components. The flaw is tracked under [CWE-250: Execution with Unnecessary Privileges].
Critical Impact
Authenticated low-privilege users can read and modify Redis data, exfiltrate secrets, alter COSMOS settings, and tamper with configuration, log, and plugin files stored in the buckets service.
Affected Products
- OpenC3 COSMOS versions prior to 7.0.0-rc3
- OpenC3 COSMOS Script Runner API container (openc3-COSMOS-script-runner-api)
- COSMOS deployments using the default shared Docker network
Discovery Timeline
- 2026-05-04 - CVE-2026-42088 published to NVD
- 2026-05-04 - Last updated in NVD database
Technical Details for CVE-2026-42088
Vulnerability Analysis
The Script Runner widget in OpenC3 COSMOS allows authenticated users to submit Python and Ruby scripts for execution. These scripts run inside the Script Runner API container with full network reachability to every other COSMOS service container. The platform enforces administrative boundaries at the HTTP API layer rather than at the network layer.
A user with script execution rights can issue raw socket or HTTP connections from within the script. These connections bypass the API gateway entirely and reach Redis, the object storage buckets service, and other internal endpoints directly. The attacker effectively inherits the trust granted to the Script Runner container itself.
From this position, an attacker can read or modify Redis keys that store secrets and operational settings. The same path allows reading and writing arbitrary objects in the buckets service, including plugin files that COSMOS loads at runtime. Writing a malicious plugin enables persistence and broader code execution within the COSMOS deployment.
Root Cause
The root cause is a privilege boundary mismatch. COSMOS treats API permission checks as the sole authorization control, yet the Script Runner container shares a flat Docker network with privileged services that lack their own authentication. Scripts running inside that container therefore execute with implicit administrative reach, satisfying the conditions for [CWE-250].
Attack Vector
An authenticated user with permission to create and run scripts submits a script through the Script Runner widget. The script opens TCP connections to internal hostnames such as the Redis service or the buckets service over the shared Docker network. Once connected, the script issues commands to dump secrets, change settings, or upload plugin files, all without invoking any COSMOS API. See the GitHub Security Advisory GHSA-2wvh-87g2-89hr for advisory details.
Detection Methods for CVE-2026-42088
Indicators of Compromise
- Outbound TCP connections from the openc3-COSMOS-script-runner-api container to Redis (6379) or the buckets service that did not originate from the COSMOS API gateway.
- Unexpected Redis CONFIG, KEYS, or GET commands logged outside normal administrative windows.
- New or modified plugin objects in the buckets service uploaded without an audit trail in the Admin Console.
- Script Runner job history showing scripts that import socket libraries or HTTP clients targeting internal service names.
Detection Strategies
- Audit Script Runner script content for use of socket, redis, boto3, or HTTP libraries that reference internal hostnames.
- Monitor container-to-container network flows and alert on Script Runner reaching services other than the API gateway.
- Compare Redis and buckets service modification timestamps against authenticated Admin Console activity logs.
Monitoring Recommendations
- Enable Docker network flow logging and forward events to a centralized analytics platform for correlation.
- Track changes to COSMOS settings, plugin files, and bucket contents and alert on writes that bypass the Admin Console.
- Review Script Runner audit logs daily for low-privilege users submitting scripts that perform network operations.
How to Mitigate CVE-2026-42088
Immediate Actions Required
- Upgrade OpenC3 COSMOS to version 7.0.0-rc3 or later, where this issue is patched. See GitHub Release v7.0.0-rc3 and GitHub Release v7.0.0.
- Restrict Script Runner permissions to trusted operators only, and remove the capability from any role that does not require it.
- Rotate all secrets stored in Redis, including API keys, plugin tokens, and credentials reachable from the COSMOS containers.
Patch Information
OpenC3 has fixed CVE-2026-42088 in COSMOS 7.0.0-rc3. The fix is included in the general availability release 7.0.0. Operators should pull the updated container images and redeploy the full stack so that the Script Runner API enforces the new permission boundaries against backend services.
Workarounds
- Segment the Docker network so the Script Runner container cannot reach Redis or the buckets service directly, forcing all traffic through the authenticated API.
- Disable the Script Runner widget or revoke script execution permissions for non-administrative users until the patch is applied.
- Apply Redis authentication and bind the buckets service to require credentials, reducing the impact of direct in-network access.
# Configuration example: pull and deploy the patched release
git fetch --tags
git checkout v7.0.0-rc3
docker compose pull
docker compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
