CVE-2026-42085: OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames
(updated )
OpenC3 COSMOS contains a design flaw in the save_tool_config() function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared /plugins directory.
References
- github.com/OpenC3/cosmos
- github.com/OpenC3/cosmos/commit/9957a9fa460c0c0cf5cdbf6a5931bbdd025246a5
- github.com/OpenC3/cosmos/commit/e6efccbd148ba0e3361c5891027f2373aa140d42
- github.com/OpenC3/cosmos/releases/tag/v6.10.5
- github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
- github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h
- github.com/advisories/GHSA-4jvx-93h3-f45h
- nvd.nist.gov/vuln/detail/CVE-2026-42085
Code Behaviors & Features
Detect and mitigate CVE-2026-42085 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →