DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-V529-VHWC-WFC5: GHSA-v529-vhwc-wfc5: Authenticated SQL Injection in OpenC3 COSMOS QuestDB Integration

#security #cve #cybersecurity #ghsa

GHSA-v529-vhwc-wfc5: Authenticated SQL Injection in OpenC3 COSMOS QuestDB Integration

Vulnerability ID: GHSA-V529-VHWC-WFC5
CVSS Score: 9.1
Published: 2026-04-23

OpenC3 COSMOS versions prior to 7.0.0-rc3 contain a critical SQL injection vulnerability in the telemetry retrieval functions interfacing with the QuestDB time-series database. The flaw permits low-privileged authenticated users to execute arbitrary SQL commands against the database backend, resulting in complete database compromise, arbitrary data disclosure, and the capability to perform destructive operations.

TL;DR

An authenticated SQL injection vulnerability (CVSS 9.1) in OpenC3 COSMOS allows users with low privileges (e.g., Viewer or Runner) to execute arbitrary SQL queries against the backend QuestDB database via the JSON-RPC API, enabling data exfiltration and destruction.

⚠️ Exploit Status: POC

Technical Details

  • CVSS Score: 9.1 (Critical)
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
  • CWE ID: CWE-89
  • Attack Vector: Network
  • Privileges Required: Low (Authenticated)
  • Exploit Status: Proof of Concept Available

Affected Systems

  • OpenC3 COSMOS
  • QuestDB Integration Module
  • OpenC3 COSMOS: >= 6.7.0, < 7.0.0-rc3 (Fixed in: v7.0.0-rc3)

Code Analysis

Commit: 9ba60c0

Implementation of parameterization to resolve SQL injection in telemetry retrieval functions

Exploit Details

  • Research Context: Proof of Concept leveraging the start_time parameter for boolean-based extraction and stacked queries

Mitigation Strategies

  • Upgrade OpenC3 COSMOS to a patched version
  • Enforce least privilege for user roles with telemetry (tlm) access
  • Deploy Web Application Firewall (WAF) rules to inspect JSON-RPC payloads for SQL syntax
  • Monitor database transaction logs for unauthorized DDL operations

Remediation Steps:

  1. Review current OpenC3 COSMOS version in the production environment.
  2. Schedule a maintenance window for application updates.
  3. Apply the 7.0.0-rc3 or later patch provided by OpenC3.
  4. Verify the integrity of existing telemetry data in QuestDB.
  5. Implement application layer monitoring for the JSON-RPC endpoints.

References

Read the full report for GHSA-V529-VHWC-WFC5 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)