GHSA-2WVH-87G2-89HR: GHSA-2wvh-87g2-89hr: Privilege Escalation via Script Runner in OpenC3 COSMOS

GHSA-2wvh-87g2-89hr: Privilege Escalation via Script Runner in OpenC3 COSMOS

Vulnerability ID: GHSA-2WVH-87G2-89HR
CVSS Score: 9.1
Published: 2026-04-23

A critical permissions bypass vulnerability in OpenC3 COSMOS allows authenticated users to escalate privileges via the Script Runner tool. The vulnerability occurs because the script execution environment shares a network with internal services and exposes sensitive credentials via environment variables, allowing attackers to directly interact with internal components like the Redis database.

TL;DR

OpenC3 COSMOS versions prior to 7.0.0-rc3 fail to adequately sandbox the Script Runner tool. Authenticated users can extract internal Redis credentials from the execution environment and connect directly to backend databases, bypassing application-level access controls to modify system settings and retrieve secrets.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-250, CWE-269
• Attack Vector: Network
• CVSS Score: 9.1 (Critical)
• Impact: Confidentiality: High, Integrity: High, Availability: None
• Exploit Status: Proof of Concept Available
• KEV Status: Not Listed

Affected Systems

• OpenC3 COSMOS Script Runner API Container
• OpenC3 COSMOS Internal Redis Database
• OpenC3 COSMOS Buckets Service
• OpenC3 COSMOS: < 7.0.0-rc3 (Fixed in: 7.0.0-rc3)

Exploit Details

• Research Report: Python and Ruby scripts to extract environment variables and overwrite internal Redis settings.

Mitigation Strategies

• Upgrade to a patched version (7.0.0-rc3 or later).
• Implement principle of least privilege for Script Runner access.
• Isolate internal network traffic using Docker or Kubernetes network policies.
• Migrate from environment-variable-based secrets to secure secret management solutions.

Remediation Steps:

1. Identify the current version of OpenC3 COSMOS deployed in your environment.
2. If the version is prior to 7.0.0-rc3, schedule an immediate maintenance window.
3. Pull the updated Docker images (openc3inc/openc3-COSMOS-script-runner-api:7.0.0-rc3 or newer).
4. Restart the COSMOS stack applying the new configuration.
5. Verify that standard users can no longer execute arbitrary OS commands or extract infrastructure secrets via the Script Runner.
6. Audit Redis logs and bucket contents for unauthorized modifications if the system was previously exposed.

References

• GitHub Advisory
• Vendor Security Advisory
• OSV Record
• Product Repository

---

Read the full report for GHSA-2WVH-87G2-89HR on our website for more details including interactive diagrams and full exploit analysis.