OpenC3 COSMOS before v6.0.2 was discovered to contain hardcoded credentials for the Service Account.
In accordance with CWE-798, the vendor embedded static, unchangeable login credentials for a Service Account in the application code. An attacker who knows these hardcoded credentials (e.g., after analyzing the publicly available repository) can use them to authenticate to the system. Since these credentials are identical across all installations of a given version, the exploit requires no interaction from the victim or special privileges.
An attacker gains full, unauthorized access to the system with Service Account privileges, which may lead to disclosure of space mission data, modification of data, or complete disruption of the platform's operation.
OpenC3 COSMOS must be urgently updated to version 6.0.2 or later, in which the issue has been fixed. Patch details are available in the vendor's references (GitHub pull request #1816 and release v6.0.2). After updating, it is recommended to review access logs to detect any potential unauthorized use of the Service Account.
OpenC3 COSMOS in all versions before 6.0.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpenc3 Cosmos
APPOpenc36.0.0
Related vulnerabilities
OpenC3 COSMOS: ominięcie uprawnień API i dostęp do usług wewnętrznych sieci Docker
SQL Injection w komponencie TSDB OpenC3 COSMOS (CVE-2026-42087)
Path Traversal w endpoincie /script-api/scripts/ OpenC3 COSMOS
OpenC3 COSMOS: Obejście uwierzytelnienia przez słabe wymagania haseł
RCE w komponencie Plugin Management OpenC3 COSMOS poprzez spreparowany plik .txt