CVE-2026-42084: OpenC3 COSMOS Allows Password Change Without Old Password
The National Vulnerability Database has detailed CVE-2026-42084, a high-severity vulnerability (CVSS 8.1) in OpenC3 COSMOS versions prior to 6.10.5 and 7.0.0-rc3. This flaw allows users to change their password using only a valid session token, bypassing the requirement for the old password. This isn’t a speculative risk; it’s a critical persistence vector.
In an assumed breach scenario, this vulnerability significantly amplifies an attacker’s post-compromise capabilities. If an adversary has already obtained a valid session token — perhaps through a phishing attack, a separate credential stuffing incident, or internal network access — they can leverage this flaw to hijack accounts, including administrative ones. This effectively locks out legitimate users and establishes a durable foothold for the attacker, making incident response far more complex.
Defenders must prioritize patching. OpenC3 COSMOS versions 6.10.5 and 7.0.0-rc3 address this issue. For organizations that rely on OpenC3 COSMOS, the immediate focus should be on upgrading to these patched versions. Furthermore, security teams should scrutinize session management and look for anomalous password change events, particularly for high-privilege accounts, as these could indicate active exploitation in already compromised environments.
What This Means For You
- If your organization uses OpenC3 COSMOS, you need to check your version immediately. If you're running anything older than 6.10.5 or 7.0.0-rc3, you are exposed to CVE-2026-42084. Patching is non-negotiable. Beyond that, audit your session management and look for any unauthorized password changes, especially if you've had recent security incidents that could have exposed session tokens.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42084: OpenC3 COSMOS Password Change Without Old Password
title: CVE-2026-42084: OpenC3 COSMOS Password Change Without Old Password
id: scw-2026-05-04-ai-1
status: experimental
level: high
description: |
Detects the specific API endpoint used in OpenC3 COSMOS to change a user's password without requiring the old password. This is the core vulnerability (CVE-2026-42084) that allows for persistence by hijacking accounts using a valid session token.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42084/
tags:
- attack.persistence
- attack.t1550.003
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/cosmos/api/v1/users/changepassword'
cs-method:
- 'POST'
sc-status:
- '200'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42084 | Auth Bypass | OpenC3 COSMOS password change functionality |
| CVE-2026-42084 | Auth Bypass | OpenC3 COSMOS < 6.10.5 |
| CVE-2026-42084 | Auth Bypass | OpenC3 COSMOS < 7.0.0-rc3 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability
CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...
Prometheus Azure AD OAuth Secret Exposed via Plaintext Config
CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...
CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7
CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...