OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database
Published: April 23, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-42087 (NVD)
- GHSA: GHSA-v529-vhwc-wfc5
- Vendor Advisory: https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5
GEM
SEVERITY
CVSS v3.x: 9.6 (Critical)
UNAFFECTED VERSIONS
< 6.7.0
PATCHED VERSIONS
>= 7.0.0
DESCRIPTION
Vulnerability Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Attack type: Authenticated remote
Impact: Telemetry data disclosure and deletion
Affected components: openc3-tsdb (QuestDB)
A SQL injection vulnerability exists in the Time-Series Database (TSDB)
component of COSMOS. The tsdb_lookup function in the cvt_model.rb
file directly places user-supplied input into a SQL query without
sanitizing the input. As a result, a user can break out of the initial
SQL statement and execute arbitrary SQL commands, including deleting data.
Recommendations
- Sanitize all user-supplied input before executing it.
- Use prepared statements with parameterized queries when executing SQL statements.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2026-42087
- https://rubygems.org/gems/openc3/versions/7.0.0
- https://github.com/OpenC3/cosmos/releases/tag/v7.0.0
- https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5
- https://github.com/OpenC3/cosmos/commit/9ba60c09c8836a37a2e4ea67ab35fe403e041415
- https://github.com/advisories/GHSA-v529-vhwc-wfc5