CVE-2026-42088

Name of the Vulnerable Software and Affected Versions OpenC3 COSMOS versions prior to 7.0.0-rc3

Description The Script Runner widget allows users to execute Python and Ruby scripts directly from the 'openc3-COSMOS-script-runner-api' container. Since all Docker containers share a network, users can execute specially crafted scripts to bypass API permissions checks and perform administrative actions. This includes reading and modifying data within the Redis database to access secrets and change settings, as well as reading and writing to the buckets service containing configuration, log, and plugin files. These capabilities are typically restricted to the Admin Console or users with administrative privileges. Any user permitted to create and run scripts can connect to any service within the Docker network.

Recommendations Update to version 7.0.0-rc3.