What is GHSA-v529-vhwc-wfc5?

GHSA-v529-vhwc-wfc5 is a security advisory published by GitHub Security Advisories with Critical severity. OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database

Which CVE IDs does GHSA-v529-vhwc-wfc5 cover?

GHSA-v529-vhwc-wfc5 covers the following CVE IDs: CVE-2026-42087. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-v529-vhwc-wfc5?

GHSA-v529-vhwc-wfc5 has a CVSS v3 base score of 9.6, published by GitHub Security Advisories.

Which products are affected by GHSA-v529-vhwc-wfc5?

GHSA-v529-vhwc-wfc5 affects 1 product, including: rubygems/openc3:\u003e= 6.7.0, \u003c 7.0.0-rc3.

GHSA-v529-vhwc-wfc5CriticalCVSS 9.6

OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database

Vendor

GitHub Security Advisories

Published

April 23, 2026

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2026-42087 →

📋 Description

Vulnerability Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Attack type: Authenticated remote Impact: Telemetry data disclosure and deletion Affected components: openc3-tsdb (QuestDB)

A SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The tsdb_lookup function in the cvt_model.rb file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data.

Figure 1: Source code vulnerable to SQL injection Additionally, the get_tlm_values RPC endpoint only requires “tlm” permissions, allowing any user with the Admin, Operator, Viewer, or Runner roles to send a request to the TSDB. This permission is defined in roles-permissions.md to allow for the user to view telemetry data, but this vulnerability also allows them to delete data and tables.

Figure 2: Source code showing the required permissions for the get_tlm_values endpoint Sending a normal request to the endpoint brings back a single array of values for the parameter:

Figure 3: A normal request to the get_tlm_values endpoint However, sending a specially crafted request within the start_time variable brings back all the data in the database:

Figure 4: The request and response after sending the SQL injection payload This payload can be modified to executes SQL commands in the TSDB.

Figure 5: SQL injection used to execute arbitrary SQL command The user can then delete all the historical data in the database:

Figure 6: Example payload dropping the tables

Steps to Reproduce

Capture a JSON-RPC request to the get_tlm_values endpoint.
Add the start_time key to the request body and place the following in the value:

‘ OR 1=1 --

Retrieve all database data.

Recommendations

• Sanitize all user-supplied input before executing it • Use prepared statements with parameterized queries when executing SQL statements

🎯 Affected products1

rubygems/openc3:>= 6.7.0, < 7.0.0-rc3

🔗 CVE IDs covered (1)

📋 Description

Steps to Reproduce

Recommendations

🎯 Affected products1

🔗 References (6)