GHSA-V529-VHWC-WFC5

Vulnerability from github – Published: 2026-04-23 14:12 – Updated: 2026-04-23 14:12
VLAI?
Summary
OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database
Details

Vulnerability Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Attack type: Authenticated remote Impact: Telemetry data disclosure and deletion Affected components: openc3-tsdb (QuestDB)

A SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The tsdb_lookup function in the cvt_model.rb file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data.

image

Figure 1: Source code vulnerable to SQL injection Additionally, the get_tlm_values RPC endpoint only requires “tlm” permissions, allowing any user with the Admin, Operator, Viewer, or Runner roles to send a request to the TSDB. This permission is defined in roles-permissions.md to allow for the user to view telemetry data, but this vulnerability also allows them to delete data and tables.

image

Figure 2: Source code showing the required permissions for the get_tlm_values endpoint Sending a normal request to the endpoint brings back a single array of values for the parameter:

image

Figure 3: A normal request to the get_tlm_values endpoint However, sending a specially crafted request within the start_time variable brings back all the data in the database:

image

Figure 4: The request and response after sending the SQL injection payload This payload can be modified to executes SQL commands in the TSDB.

image

Figure 5: SQL injection used to execute arbitrary SQL command The user can then delete all the historical data in the database:

image

Figure 6: Example payload dropping the tables

Steps to Reproduce

  1. Capture a JSON-RPC request to the get_tlm_values endpoint.
  2. Add the start_time key to the request body and place the following in the value:
‘ OR 1=1 --
  1. Retrieve all database data.

Recommendations

• Sanitize all user-supplied input before executing it • Use prepared statements with parameterized queries when executing SQL statements

Severity ?
9.6 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "openc3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "7.0.0-rc3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-23T14:12:02Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "**Vulnerability Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\nAttack type: Authenticated remote\nImpact: Telemetry data disclosure and deletion\nAffected components: openc3-tsdb (QuestDB)**\n\nA SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The `tsdb_lookup` function in the `cvt_model.rb` file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data. \n \n\u003cimg width=\"940\" height=\"719\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2c2dd294-6192-49d3-b670-fd7b82c05be0\" /\u003e\n\nFigure 1: Source code vulnerable to SQL injection\nAdditionally, the `get_tlm_values` RPC endpoint only requires \u201ctlm\u201d permissions, allowing any user with the Admin, Operator, Viewer, or Runner roles to send a request to the TSDB. This permission is defined in roles-permissions.md to allow for the user to view telemetry data, but this vulnerability also allows them to delete data and tables.\n \n\u003cimg width=\"940\" height=\"410\" alt=\"image\" src=\"https://github.com/user-attachments/assets/40be7e8d-51f9-442d-bbd7-77c8488a2f78\" /\u003e\n\nFigure 2: Source code showing the required permissions for the `get_tlm_values` endpoint\nSending a normal request to the endpoint brings back a single array of values for the parameter:\n \n\u003cimg width=\"944\" height=\"481\" alt=\"image\" src=\"https://github.com/user-attachments/assets/23678f17-6bdf-41c1-81bc-ace5a8daa7e5\" /\u003e\n\nFigure 3: A normal request to the `get_tlm_values` endpoint\nHowever, sending a specially crafted request within the start_time variable brings back all the data in the database:\n \n\u003cimg width=\"944\" height=\"432\" alt=\"image\" src=\"https://github.com/user-attachments/assets/bd5ecc87-ba9c-43f0-b196-91062b9c395a\" /\u003e\n\nFigure 4: The request and response after sending the SQL injection payload\nThis payload can be modified to executes SQL commands in the TSDB.\n \n\u003cimg width=\"944\" height=\"425\" alt=\"image\" src=\"https://github.com/user-attachments/assets/70c3c88e-9ed6-4542-bfb4-e77abb002c15\" /\u003e\n\nFigure 5: SQL injection used to execute arbitrary SQL command\nThe user can then delete all the historical data in the database:\n \n\u003cimg width=\"944\" height=\"496\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f2dc1fa6-5fe0-4232-867a-a65776f108ee\" /\u003e\n\nFigure 6: Example payload dropping the tables\n###\tSteps to Reproduce\n1.\tCapture a JSON-RPC request to the `get_tlm_values` endpoint.\n2.\tAdd the `start_time` key to the request body and place the following in the value:\n```sql\n\u2018 OR 1=1 --\n```\n3.\tRetrieve all database data.\n###\tRecommendations\n\u2022\tSanitize all user-supplied input before executing it\n\u2022\tUse prepared statements with parameterized queries when executing SQL statements",
  "id": "GHSA-v529-vhwc-wfc5",
  "modified": "2026-04-23T14:12:02Z",
  "published": "2026-04-23T14:12:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenC3/cosmos/commit/9ba60c09c8836a37a2e4ea67ab35fe403e041415"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenC3/cosmos"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.