CVE-2026-42084
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence
Description
### Summary The OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. ### Details The design flaw in authentication model ([authentication.rb](https://github.com/OpenC3/cosmos/blob/397abec0d57972881a2e8dc10902d0dce9c27f42/openc3/lib/openc3/utilities/authentication.rb)) allows for interchangeable use of password and session tokens for user authentication As old tokens are not revoked upon password reset, an attacker who has obtained a valid session token can continue to authenticate and change the account’s password even after the victim resets it, thereby maintaining persistent control over the compromised account. ### PoC 1. Attacker is logged in user account with hijacked valid session token, but not knowing the actual password 2. Legitimate user, as preventive action, changes his password (_password123_) using old password (_password_), that he knows, then establishes new session 3. Attacker issues another password change request (in web proxy like Burp) supplying his still valid token as _old_password_, changing it to attacker-password, from this point preventing any other legitimate users from accessing account <img width="912" height="479" alt="image" src="https://github.com/user-attachments/assets/d27b5980-0326-40f8-bb39-657d7b1c95a0" /> <img width="923" height="423" alt="image" src="https://github.com/user-attachments/assets/060d9fe1-637e-4a2d-9142-76612984ea28" /> ### Impact Persistence of an attacker who obtained valid session token and preventing legitimate users from account access
How to fix CVE-2026-42084
To remediate CVE-2026-42084, upgrade the affected package to a fixed version below.
- —upgrade to 6.10.5 or later
Is CVE-2026-42084 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.