OpenC3 COSMOS Critical Script Runner Bypass (CVE-2026-42088)
The National Vulnerability Database (NVD) has disclosed CVE-2026-42088, a critical vulnerability in OpenC3 COSMOS, a system designed to command and receive data from embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allowed users to execute Python and Ruby scripts directly. The critical flaw stems from how Docker containers share a network, enabling specially crafted scripts to bypass API permission checks.
This bypass grants unauthorized users administrative actions, including reading and modifying data within the Redis database. This means attackers can exfiltrate secrets, alter COSMOS settings, and manipulate configuration, log, and plugin files stored in the buckets service. Essentially, any user with script creation and execution privileges can connect to any service within the Docker network, circumventing intended security controls that should restrict these actions to the Admin Console or users with explicit administrative rights.
OpenC3 has patched this issue in version 7.0.0-rc3. Given the CVSS score of 9.6 (Critical) and the potential for full administrative compromise, organizations using OpenC3 COSMOS must prioritize immediate patching. This isn’t theoretical; it’s a direct path to full system control for an attacker who gains a foothold as a standard user with script execution rights.
What This Means For You
- If your organization uses OpenC3 COSMOS, you need to verify your version immediately. This vulnerability allows low-privileged users to achieve full administrative control, read sensitive data, and alter critical configurations. Patch to version 7.0.0-rc3 without delay. Audit your COSMOS environment for any unauthorized script executions or anomalous Redis database activity.
Related ATT&CK Techniques
🛡️ Detection Rules
4 rules · 6 SIEM formats4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
DLL Side-Loading Detection
title: DLL Side-Loading Detection
id: scw-2026-05-04-1
status: experimental
level: high
description: |
Detects unsigned DLLs loaded by legitimate executables, a common technique for persistence and defense evasion.
author: SCW Feed Engine (auto-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42088/
tags:
- attack.persistence
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '.dll'
Image|endswith:
- '.exe'
signed: 'false'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-42088
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42088 | Privilege Escalation | OpenC3 COSMOS Script Runner widget allows bypassing API permissions |
| CVE-2026-42088 | Information Disclosure | OpenC3 COSMOS prior to version 7.0.0-rc3 allows reading secrets from Redis database |
| CVE-2026-42088 | Misconfiguration | OpenC3 COSMOS docker containers share a network, allowing script execution to connect to any service |
| CVE-2026-42088 | Auth Bypass | OpenC3 COSMOS Script Runner allows bypassing API permissions check to perform administrative actions |
| CVE-2026-42088 | Code Injection | OpenC3 COSMOS Script Runner widget allows execution of specially crafted Python and Ruby scripts |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability
CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...
Prometheus Azure AD OAuth Secret Exposed via Plaintext Config
CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...
CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7
CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...