GHSA-wgx6-g857-jjf7

Source

https://github.com/advisories/GHSA-wgx6-g857-jjf7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wgx6-g857-jjf7/GHSA-wgx6-g857-jjf7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wgx6-g857-jjf7

Aliases

CVE-2026-42084

Published

2026-04-22T22:13:10Z

Modified

2026-05-05T16:11:45.116714Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence

Details

Summary

The OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account.

Details

The design flaw in authentication model (authentication.rb) allows for interchangeable use of password and session tokens for user authentication As old tokens are not revoked upon password reset, an attacker who has obtained a valid session token can continue to authenticate and change the account’s password even after the victim resets it, thereby maintaining persistent control over the compromised account.

PoC

Attacker is logged in user account with hijacked valid session token, but not knowing the actual password
Legitimate user, as preventive action, changes his password (password123) using old password (password), that he knows, then establishes new session
Attacker issues another password change request (in web proxy like Burp) supplying his still valid token as oldpassword_, changing it to attacker-password, from this point preventing any other legitimate users from accessing account <img width="912" height="479" alt="image" src="https://github.com/user-attachments/assets/d27b5980-0326-40f8-bb39-657d7b1c95a0" /> <img width="923" height="423" alt="image" src="https://github.com/user-attachments/assets/060d9fe1-637e-4a2d-9142-76612984ea28" />

Impact

Persistence of an attacker who obtained valid session token and preventing legitimate users from account access

Database specific

{
    "github_reviewed_at": "2026-04-22T22:13:10Z",
    "nvd_published_at": "2026-05-04T18:16:30Z",
    "cwe_ids": [
        "CWE-620"
    ],
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

RubyGems / openc3

Package

Name: openc3
Purl: pkg:gem/openc3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.10.5

Affected versions

5.*

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.1.0

5.1.1

5.2.0

5.3.0

5.4.0

5.4.1

5.4.2

5.4.3.pre.beta0

5.5.0.pre.beta0

5.5.0

5.5.1

5.5.2.pre.beta0

5.5.2

5.6.0

5.6.1

5.7.0

5.7.2

5.8.0

5.8.1

5.9.0

5.9.1

5.10.0

5.10.1

5.11.0

5.11.1

5.11.2

5.11.3

5.12.0

5.13.0

5.14.0

5.14.1

5.14.2

5.15.0

5.15.1

5.15.2

5.16.0

5.16.1

5.16.2

5.17.0

5.17.1

5.18.0

5.19.0

5.20.0

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.2.0

6.2.1

6.3.0

6.4.0

6.4.1

6.4.2

6.5.0

6.5.1

6.6.0

6.7.0

6.8.0

6.8.1

6.9.0

6.9.1

6.9.2

6.10.0

6.10.1

6.10.2

6.10.3

6.10.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wgx6-g857-jjf7/GHSA-wgx6-g857-jjf7.json"