OpenC3 COSMOS TSDB SQL Injection Flaw Exposes Critical Systems
The National Vulnerability Database has identified a critical SQL injection vulnerability (CVE-2026-42087) impacting OpenC3 COSMOS versions 6.7.0 through 7.0.0-rc3. This flaw resides within the Time-Series Database (TSDB) component, specifically in the tsdb_lookup function. By manipulating user-supplied input, attackers can bypass SQL query sanitization, enabling the execution of arbitrary SQL commands. The National Vulnerability Database highlights that this can lead to data deletion or other destructive actions.
This vulnerability carries a CVSS score of 9.6 (CRITICAL), underscoring its severity. The attack vector is network-accessible (AV:N), requires low privileges (PR:L), and has a low complexity (AC:L). Crucially, it allows for scope expansion (S:C), meaning the impact can extend beyond the initial vulnerable component, leading to high confidentiality and integrity impacts. Defenders should prioritize patching this vulnerability immediately. Version 7.0.0-rc3 and later are reported as fixed.
What This Means For You
- If your organization utilizes OpenC3 COSMOS for embedded systems command and control, you must verify your version is at or beyond 7.0.0-rc3. If you are running a vulnerable version, immediate patching is paramount. Audit your TSDB component logs for any signs of unusual SQL query patterns or data manipulation that could indicate prior exploitation.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42087 - OpenC3 COSMOS TSDB SQL Injection
title: CVE-2026-42087 - OpenC3 COSMOS TSDB SQL Injection
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
Detects SQL injection attempts against the OpenC3 COSMOS TSDB component by looking for the '/tsdb_lookup' endpoint in the URI and common SQL injection patterns within the query string. This is the primary detection for CVE-2026-42087, which allows unauthenticated attackers to execute arbitrary SQL commands.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42087/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/tsdb_lookup'
cs-uri-query|contains:
- "' OR 1=1 --"
- "' UNION SELECT"
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42087 | SQLi | OpenC3 COSMOS versions 6.7.0 up to (but not including) 7.0.0-rc3 |
| CVE-2026-42087 | SQLi | OpenC3 COSMOS Time-Series Database (TSDB) component |
| CVE-2026-42087 | SQLi | OpenC3 COSMOS tsdb_lookup function in cvt_model.rb |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability
CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...
Prometheus Azure AD OAuth Secret Exposed via Plaintext Config
CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...
CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7
CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...