OpenC3 COSMOS - Hijacked session token can be used to reset password for persistence
Published: April 22, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-42084 (NVD)
- GHSA: GHSA-wgx6-g857-jjf7
- Vendor Advisory: https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7
GEM
SEVERITY
CVSS v3.x: 8.1 (High)
PATCHED VERSIONS
~> 6.10.5
>= 7.0.0-rc3
DESCRIPTION
Summary
The OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account.
Details
The design flaw in authentication model (authentication.rb) allows for interchangeable use of password and session tokens for user authentication As old tokens are not revoked upon password reset, an attacker who has obtained a valid session token can continue to authenticate and change the account’s password even after the victim resets it, thereby maintaining persistent control over the compromised account.
Impact
Persistence of an attacker who obtained valid session token and preventing legitimate users from account access.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2026-42084
- https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7
- https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
- https://github.com/OpenC3/cosmos/releases/tag/v6.10.5
- https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776
- https://github.com/advisories/GHSA-wgx6-g857-jjf7