CVE-2026-42084
Password Change Without Old Password in OpenC3 COSMOS
Publication date: 2026-05-04
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openc3 | cosmos | to 7.0.0-rc3 (exc) |
| openc3 | cosmos | to 7.0.0-rc3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-620 | When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in OpenC3 COSMOS versions prior to 6.10.5 and 7.0.0-rc3, where the password change functionality allows a user to change their password without providing the old password. Instead, it accepts a valid session token to authorize the change.
This means that if an attacker has already obtained a valid session token, they can exploit this behavior to change the password of the account associated with that token without knowing the original password.
How can this vulnerability impact me? :
This vulnerability can allow an attacker who has a valid session token to gain persistence in a hijacked account, including accounts with administrative privileges.
By changing the password without needing the old one, the attacker can prevent legitimate users from accessing their accounts, effectively locking them out.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenC3 COSMOS to version 6.10.5 or later, or to version 7.0.0-rc3 or later, where the issue has been patched.
Additionally, in environments where an assumed breach is possible, monitor and restrict access to valid session tokens to prevent attackers from exploiting the password change functionality without the old password.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker who has obtained a valid session token to change the password of an account without knowing the old password, potentially gaining persistent unauthorized access to user accounts, including administrative ones.
Such unauthorized access and persistence can lead to data breaches or unauthorized data manipulation, which may violate common standards and regulations like GDPR and HIPAA that require protection of user data and strict access controls.
Therefore, exploitation of this vulnerability could negatively impact compliance by undermining the confidentiality and integrity requirements mandated by these regulations.