CVE-2026-42084.yml

---
gem: openc3
cve: 2026-42084
ghsa: wgx6-g857-jjf7
url: https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7
title: OpenC3 COSMOS - Hijacked session token can be used to reset
  password for persistence
date: 2026-04-22
description: |
  ### Summary

  The OpenC3 password change functionality allows a user to change their
  password without providing the old password, by accepting a valid
  session token instead. In assumed breach scenarios, this behaviour
  can be exploited by an attacker who has already obtained a valid
  session token, to gain persistence in hijacked account (including
  admin) and prevent legitimate users from accessing the account.

  ### Details

  The design flaw in authentication model ([authentication.rb](https://github.com/OpenC3/cosmos/blob/397abec0d57972881a2e8dc10902d0dce9c27f42/openc3/lib/openc3/utilities/authentication.rb))
  allows for interchangeable use of password and session tokens for
  user authentication As old tokens are not revoked upon password
  reset, an attacker who has obtained a valid session token can
  continue to authenticate and change the account’s password even
  after the victim resets it, thereby maintaining persistent control
  over the compromised account.

  ### Impact

  Persistence of an attacker who obtained valid session token and
  preventing legitimate users from account access.
cvss_v3: 8.1
patched_versions:
  - "~> 6.10.5"
  - ">= 7.0.0-rc3"
related:
  url:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-42084
    - https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7
    - https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
    - https://github.com/OpenC3/cosmos/releases/tag/v6.10.5
    - https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776
    - https://github.com/advisories/GHSA-wgx6-g857-jjf7