{"id":"GHSA-v529-vhwc-wfc5","summary":"OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database","details":"**Vulnerability Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\nAttack type: Authenticated remote\nImpact: Telemetry data disclosure and deletion\nAffected components: openc3-tsdb (QuestDB)**\n\nA SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The `tsdb_lookup` function in the `cvt_model.rb` file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data. \n \n\u003cimg width=\"940\" height=\"719\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2c2dd294-6192-49d3-b670-fd7b82c05be0\" /\u003e\n\nFigure 1: Source code vulnerable to SQL injection\nAdditionally, the `get_tlm_values` RPC endpoint only requires “tlm” permissions, allowing any user with the Admin, Operator, Viewer, or Runner roles to send a request to the TSDB. This permission is defined in roles-permissions.md to allow for the user to view telemetry data, but this vulnerability also allows them to delete data and tables.\n \n\u003cimg width=\"940\" height=\"410\" alt=\"image\" src=\"https://github.com/user-attachments/assets/40be7e8d-51f9-442d-bbd7-77c8488a2f78\" /\u003e\n\nFigure 2: Source code showing the required permissions for the `get_tlm_values` endpoint\nSending a normal request to the endpoint brings back a single array of values for the parameter:\n \n\u003cimg width=\"944\" height=\"481\" alt=\"image\" src=\"https://github.com/user-attachments/assets/23678f17-6bdf-41c1-81bc-ace5a8daa7e5\" /\u003e\n\nFigure 3: A normal request to the `get_tlm_values` endpoint\nHowever, sending a specially crafted request within the start_time variable brings back all the data in the database:\n \n\u003cimg width=\"944\" height=\"432\" alt=\"image\" src=\"https://github.com/user-attachments/assets/bd5ecc87-ba9c-43f0-b196-91062b9c395a\" /\u003e\n\nFigure 4: The request and response after sending the SQL injection payload\nThis payload can be modified to executes SQL commands in the TSDB.\n \n\u003cimg width=\"944\" height=\"425\" alt=\"image\" src=\"https://github.com/user-attachments/assets/70c3c88e-9ed6-4542-bfb4-e77abb002c15\" /\u003e\n\nFigure 5: SQL injection used to execute arbitrary SQL command\nThe user can then delete all the historical data in the database:\n \n\u003cimg width=\"944\" height=\"496\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f2dc1fa6-5fe0-4232-867a-a65776f108ee\" /\u003e\n\nFigure 6: Example payload dropping the tables\n###\tSteps to Reproduce\n1.\tCapture a JSON-RPC request to the `get_tlm_values` endpoint.\n2.\tAdd the `start_time` key to the request body and place the following in the value:\n```sql\n‘ OR 1=1 --\n```\n3.\tRetrieve all database data.\n###\tRecommendations\n•\tSanitize all user-supplied input before executing it\n•\tUse prepared statements with parameterized queries when executing SQL statements","aliases":["CVE-2026-42087"],"modified":"2026-05-29T22:00:13.424143134Z","published":"2026-04-23T14:12:02Z","database_specific":{"github_reviewed":true,"severity":"CRITICAL","cwe_ids":["CWE-89"],"nvd_published_at":"2026-05-04T18:16:30Z","github_reviewed_at":"2026-04-23T14:12:02Z"},"references":[{"type":"WEB","url":"https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42087"},{"type":"WEB","url":"https://github.com/OpenC3/cosmos/commit/9ba60c09c8836a37a2e4ea67ab35fe403e041415"},{"type":"PACKAGE","url":"https://github.com/OpenC3/cosmos"},{"type":"WEB","url":"https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/openc3/CVE-2026-42087.yml"}],"affected":[{"package":{"name":"openc3","ecosystem":"RubyGems","purl":"pkg:gem/openc3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"7.0.0-rc3"}]}],"versions":["6.10.0","6.10.1","6.10.2","6.10.3","6.10.4","6.10.5","6.10.6","6.7.0","6.8.0","6.8.1","6.9.0","6.9.1","6.9.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-v529-vhwc-wfc5/GHSA-v529-vhwc-wfc5.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"}]}