CVE-2026-42085
Analyzed Analyzed - Analysis Complete
Path Traversal in OpenC3 COSMOS

Publication date: 2026-05-04

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, OpenC3 COSMOS contains a design flaw in the save_tool_config() function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared /plugins directory. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42085
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openc3 cosmos 7.0.0
openc3 cosmos 7.0.0
openc3 cosmos to 6.10.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenC3 COSMOS prior to versions 6.10.5 and 7.0.0-rc3. It is caused by a design flaw in the save_tool_config() function that allows users to save tool configuration files at arbitrary locations within the shared /plugins directory by using specially crafted configuration filenames.

Although the system tries to prevent standard path traversal attacks by converting filenames to absolute paths, all plugins share the same root directory. This allows users to create arbitrary file structures and overwrite existing configuration files within the shared /plugins directory.

This issue has been fixed in versions 6.10.5 and 7.0.0-rc3.

Impact Analysis

This vulnerability can allow a user with limited privileges to overwrite existing configuration files within the shared /plugins directory by creating arbitrary file structures. This could lead to unintended changes in tool configurations, potentially disrupting normal operations or causing misconfigurations.

Since the vulnerability does not allow direct code execution or data disclosure, the impact is limited to integrity issues within the configuration files.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenC3 COSMOS to version 6.10.5 or later, or to version 7.0.0-rc3 or later, where the issue has been patched.

Compliance Impact

The vulnerability in OpenC3 COSMOS allows users to overwrite existing configuration files within the shared /plugins directory due to a design flaw in the save_tool_config() function. This could potentially lead to unauthorized modification of configuration files.

However, there is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42085. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart