CVE-2026-42085.yml

---
gem: openc3
cve: 2026-42085
ghsa: 4jvx-93h3-f45h
url: https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h
title: OpenC3 COSMOS allows arbitrary writes to plugins directory
  via path-traversed config filenames
date: 2026-04-22
description: |
  ### Summary

  OpenC3 COSMOS contains a design flaw in the `save_tool_config()`
  function that allows saving tool configuration files at arbitrary
  locations inside the shared `/plugins` directory tree by supplying
  crafted configuration filenames. Although the implementation
  sufficiently mitigates standard path traversal attacks, by
  canonicalizing filename to an absolute path, all plugins share this
  same root directory. That enables users to create arbitrary file
  structures and overwrite existing configuration files within the
  shared `/plugins` directory.

  ### Details

  In function `save_tool_config()` ([local_mode.rb](https://github.com/OpenC3/cosmos/blob/397abec0d57972881a2e8dc10902d0dce9c27f42/openc3/lib/openc3/utilities/local_mode.rb#L452))
  responsible for saving user-supplied tool configuration, the desired
  saving directory is not sufficiently enforced, instead allowing
  writes inside entire `OPENC3_LOCAL_MODE_PATH`.

  ### Impact

  Modifying the data of other plugins.
cvss_v3: 4.3
patched_versions:
  - "~> 6.10.5"
  - ">= 7.0.0-rc3"
related:
  url:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-42085
    - https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h
    - https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
    - https://github.com/OpenC3/cosmos/releases/tag/v6.10.5
    - https://github.com/OpenC3/cosmos/commit/9957a9fa460c0c0cf5cdbf6a5931bbdd025246a5
    - https://github.com/OpenC3/cosmos/commit/e6efccbd148ba0e3361c5891027f2373aa140d42
    - https://github.com/advisories/GHSA-4jvx-93h3-f45h