Home / Vulnerability Intelligence / CVE-2026-42084

CVE-2026-42084 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: May 4, 2026

OpenC3 COSMOS - Authentication Bypass

Published: May 4, 2026Updated: May 4, 2026Remote Exploitable

Overview

OpenC3 COSMOS < 6.10.5 and < 7.0.0-rc3 contains a broken authentication caused by password change functionality accepting valid session token without old password, letting attackers with valid tokens hijack accounts, exploit requires valid session token.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Attackers with valid session tokens can hijack accounts, including admin, causing persistent unauthorized access and denial of service to legitimate users.

Mitigation

Update to versions 6.10.5 or 7.0.0-rc3 or later.

References

https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776
https://github.com/OpenC3/cosmos/releases/tag/v6.10.5
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-42084
Severity: High
CVSS Score: 8.1
Type: broken_authentication
Status: new

CWE

CWE-620

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N