Home / Vulnerability Intelligence / CVE-2026-42088

CVE-2026-42088 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: May 4, 2026

OpenC3 COSMOS - Privilege Escalation

Published: May 4, 2026Updated: May 4, 2026Remote Exploitable

Overview

OpenC3 COSMOS < 7.0.0-rc3 contains a privilege escalation caused by script execution in the Script Runner widget bypassing API permissions, letting users with script run permission perform administrative actions on internal services, exploit requires script run permission.

Severity & Score

Severity: Critical

CVSS Score: 9.6

Impact

Users with script run permission can perform administrative actions, including reading/modifying secrets and configuration, leading to full system compromise.

Mitigation

Upgrade to version 7.0.0-rc3 or later.

References

https://github.com/OpenC3/cosmos/security/advisories/GHSA-2wvh-87g2-89hr
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-42088
Severity: Critical
CVSS Score: 9.6
Type: broken_access_control
Status: new

CWE

CWE-250

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N