OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database
GHSA-v529-vhwc-wfc5 · CVE-2026-42087
Published · Modified
Description
Vulnerability Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Attack type: Authenticated remote
Impact: Telemetry data disclosure and deletion
Affected components: openc3-tsdb (QuestDB)
A SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The tsdb_lookup function in the cvt_model.rb file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data.
Figure 1: Source code vulnerable to SQL injection
Additionally, the get_tlm_values RPC endpoint only requires “tlm” permissions, allowing any user with the Admin, Operator, Viewer, or Runner roles to send a request to the TSDB. This permission is defined in roles-permissions.md to allow for the user to view telemetry data, but this vulnerability also allows them to delete data and tables.
Figure 2: Source code showing the required permissions for the get_tlm_values endpoint
Sending a normal request to the endpoint brings back a single array of values for the parameter:
Figure 3: A normal request to the get_tlm_values endpoint
However, sending a specially crafted request within the start_time variable brings back all the data in the database:
Figure 4: The request and response after sending the SQL injection payload
This payload can be modified to executes SQL commands in the TSDB.
Figure 5: SQL injection used to execute arbitrary SQL command
The user can then delete all the historical data in the database:
Figure 6: Example payload dropping the tables
Steps to Reproduce
- Capture a JSON-RPC request to the
get_tlm_valuesendpoint. - Add the
start_timekey to the request body and place the following in the value:
‘ OR 1=1 --
- Retrieve all database data.
Recommendations
• Sanitize all user-supplied input before executing it
• Use prepared statements with parameterized queries when executing SQL statements
References
- WEB https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-42087
- WEB https://github.com/OpenC3/cosmos/commit/9ba60c09c8836a37a2e4ea67ab35fe403e041415
- PACKAGE https://github.com/OpenC3/cosmos
- WEB https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/openc3/CVE-2026-42087.yml
Ready to move
Start Securing
Free, no credit card | First findings in minutes