Weak password requirements in OpenC3 COSMOS v6.0.0 allow attackers to bypass authentication via a brute force attack.
The system does not enforce sufficiently strong passwords (CWE-521), allowing users to set passwords vulnerable to automated dictionary attacks or brute force attacks. An attacker can remotely and without any prior privileges systematically attempt successive password combinations until successfully logging into the victim's account.
A successful brute force attack allows an attacker to take control of a user or administrator account, resulting in complete compromise of the confidentiality, integrity, and availability of the OpenC3 COSMOS system.
Patches available from the vendor should be applied in accordance with the references. Additionally, it is recommended to enforce strong password policies in the organization's security policy and implement account lockout mechanisms after a specified number of failed login attempts.
OpenC3 COSMOS v6.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpenc3 Cosmos
APPOpenc36.0.0
Related vulnerabilities
OpenC3 COSMOS: ominięcie uprawnień API i dostęp do usług wewnętrznych sieci Docker
SQL Injection w komponencie TSDB OpenC3 COSMOS (CVE-2026-42087)
Path Traversal w endpoincie /script-api/scripts/ OpenC3 COSMOS
OpenC3 COSMOS — hardcoded credentials w koncie Service Account
RCE w komponencie Plugin Management OpenC3 COSMOS poprzez spreparowany plik .txt