CVE-2026-42084
Analyzed Analyzed - Analysis Complete
Password Change Without Old Password in OpenC3 COSMOS

Publication date: 2026-05-04

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-42084
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openc3 cosmos 7.0.0
openc3 cosmos 7.0.0
openc3 cosmos to 6.10.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-620 When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in OpenC3 COSMOS versions prior to 6.10.5 and 7.0.0-rc3, where the password change functionality allows a user to change their password without providing the old password. Instead, it accepts a valid session token to authorize the change.

This means that if an attacker has already obtained a valid session token, they can exploit this behavior to change the password of the account associated with that token without knowing the original password.

Impact Analysis

This vulnerability can allow an attacker who has a valid session token to gain persistence in a hijacked account, including accounts with administrative privileges.

By changing the password without needing the old one, the attacker can prevent legitimate users from accessing their accounts, effectively locking them out.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenC3 COSMOS to version 6.10.5 or later, or to version 7.0.0-rc3 or later, where the issue has been patched.

Additionally, in environments where an assumed breach is possible, monitor and restrict access to valid session tokens to prevent attackers from exploiting the password change functionality without the old password.

Compliance Impact

This vulnerability allows an attacker who has obtained a valid session token to change the password of an account without knowing the old password, potentially gaining persistent unauthorized access to user accounts, including administrative ones.

Such unauthorized access and persistence can lead to data breaches or unauthorized data manipulation, which may violate common standards and regulations like GDPR and HIPAA that require protection of user data and strict access controls.

Therefore, exploitation of this vulnerability could negatively impact compliance by undermining the confidentiality and integrity requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42084. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart