OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames
Published: April 22, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-42085 (NVD)
- GHSA: GHSA-4jvx-93h3-f45h
- Vendor Advisory: https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h
GEM
SEVERITY
CVSS v3.x: 4.3 (Medium)
PATCHED VERSIONS
~> 6.10.5
>= 7.0.0-rc3
DESCRIPTION
Summary
OpenC3 COSMOS contains a design flaw in the save_tool_config()
function that allows saving tool configuration files at arbitrary
locations inside the shared /plugins directory tree by supplying
crafted configuration filenames. Although the implementation
sufficiently mitigates standard path traversal attacks, by
canonicalizing filename to an absolute path, all plugins share this
same root directory. That enables users to create arbitrary file
structures and overwrite existing configuration files within the
shared /plugins directory.
Details
In function save_tool_config() (local_mode.rb)
responsible for saving user-supplied tool configuration, the desired
saving directory is not sufficiently enforced, instead allowing
writes inside entire OPENC3_LOCAL_MODE_PATH.
Impact
Modifying the data of other plugins.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2026-42085
- https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h
- https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
- https://github.com/OpenC3/cosmos/releases/tag/v6.10.5
- https://github.com/OpenC3/cosmos/commit/9957a9fa460c0c0cf5cdbf6a5931bbdd025246a5
- https://github.com/OpenC3/cosmos/commit/e6efccbd148ba0e3361c5891027f2373aa140d42
- https://github.com/advisories/GHSA-4jvx-93h3-f45h