CVE-2026-42088
Privilege Escalation in OpenC3 COSMOS via Script Runner
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openc3 | cosmos | to 7.0.0-rc3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-250 | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows users with script execution permissions to bypass API permission checks and perform administrative actions, including reading secrets and modifying configuration and log files. Such unauthorized access and potential data exposure could lead to violations of data protection standards and regulations that require strict access controls and data confidentiality, such as GDPR and HIPAA.
Specifically, the ability to read and modify sensitive data and configuration settings without proper authorization increases the risk of data breaches and unauthorized data processing, which are critical compliance concerns under these regulations.
Can you explain this vulnerability to me?
This vulnerability exists in OpenC3 COSMOS versions prior to 7.0.0-rc3, specifically in the Script Runner widget. It allows users who have permission to create and run scripts to execute specially crafted Python or Ruby scripts within the openc3-COSMOS-script-runner-api container. Because all docker containers share a network, these scripts can bypass API permission checks and perform administrative actions.
These administrative actions include reading and modifying data inside the Redis database, which can expose secrets and allow changes to COSMOS settings. Additionally, the scripts can read and write to the buckets service, which contains configuration, log, and plugin files. Normally, these actions require administrative privileges or access through the Admin Console.
How can this vulnerability impact me? :
The vulnerability can have a significant impact by allowing unauthorized users with script execution permissions to escalate their privileges and perform administrative actions. This includes accessing sensitive data such as secrets stored in the Redis database, modifying system settings, and altering configuration, log, and plugin files.
Such unauthorized access and modifications can compromise the integrity and confidentiality of the system, potentially leading to data breaches, system misconfigurations, and disruption of normal operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade OpenC3 COSMOS to version 7.0.0-rc3 or later, where the issue has been patched.
Additionally, restrict permissions to create and run scripts to trusted users only, as any user with such permissions can exploit this vulnerability.