CVE-2026-42087
SQL Injection in OpenC3 COSMOS Time-Series Database
Publication date: 2026-05-04
Last updated on: 2026-05-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openc3 | cosmos | From 6.7.0 (inc) to 7.0.0-rc3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in OpenC3 COSMOS allows an attacker to execute arbitrary SQL commands, including deleting data. This can lead to unauthorized data manipulation or loss, which may impact the confidentiality and integrity of sensitive information.
Such impacts could potentially affect compliance with standards and regulations like GDPR and HIPAA, which require protection of data confidentiality and integrity. However, specific effects on compliance depend on the context of data handled and the implementation environment.
Can you explain this vulnerability to me?
This vulnerability is a SQL injection issue in the Time-Series Database (TSDB) component of OpenC3 COSMOS versions 6.7.0 to before 7.0.0-rc3. Specifically, the tsdb_lookup function in the cvt_model.rb file inserts user-supplied input directly into a SQL query without sanitization. This allows an attacker to manipulate the SQL query, potentially executing arbitrary SQL commands such as deleting data.
How can this vulnerability impact me? :
The vulnerability can have severe impacts including unauthorized execution of arbitrary SQL commands. An attacker with limited privileges can exploit this to manipulate or delete data in the database, potentially leading to data loss or corruption. Given the high CVSS score (9.6), the impact on confidentiality and integrity is critical.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this SQL injection vulnerability in the Time-Series Database (TSDB) component of OpenC3 COSMOS, you should upgrade your COSMOS installation to version 7.0.0-rc3 or later, where the issue has been patched.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious or crafted JSON-RPC requests sent to the get_tlm_values endpoint, especially those containing malicious SQL injection payloads in the start_time parameter, such as "' OR 1 = 1 --".
A practical approach is to inspect network traffic or application logs for JSON-RPC calls to get_tlm_values with unusual or unexpected input values.
For example, you can use command-line tools like curl to test the endpoint with a crafted payload to see if the system is vulnerable:
- curl -X POST http://<target_host>/rpc -H 'Content-Type: application/json' -d '{"method":"get_tlm_values","params":{"start_time":"' OR 1=1 --"},"id":1}'
Additionally, you can search application logs for SQL errors or unexpected behavior triggered by such inputs.
To detect exploitation attempts on the network, tools like Wireshark or network intrusion detection systems (NIDS) can be configured to alert on suspicious JSON-RPC payloads containing SQL injection patterns.