OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database

Description

Vulnerability Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Attack type: Authenticated remote
Impact: Telemetry data disclosure and deletion
Affected components: openc3-tsdb (QuestDB)

A SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The tsdb_lookup function in the cvt_model.rb file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data.

<img width="940" height="719" alt="image" src="https://github.com/user-attachments/assets/2c2dd294-6192-49d3-b670-fd7b82c05be0" />

Figure 1: Source code vulnerable to SQL injection
Additionally, the get_tlm_values RPC endpoint only requires “tlm” permissions, allowing any user with the Admin, Operator, Viewer, or Runner roles to send a request to the TSDB. This permission is defined in roles-permissions.md to allow for the user to view telemetry data, but this vulnerability also allows them to delete data and tables.

<img width="940" height="410" alt="image" src="https://github.com/user-attachments/assets/40be7e8d-51f9-442d-bbd7-77c8488a2f78" />

Figure 2: Source code showing the required permissions for the get_tlm_values endpoint
Sending a normal request to the endpoint brings back a single array of values for the parameter:

<img width="944" height="481" alt="image" src="https://github.com/user-attachments/assets/23678f17-6bdf-41c1-81bc-ace5a8daa7e5" />

Figure 3: A normal request to the get_tlm_values endpoint
However, sending a specially crafted request within the start_time variable brings back all the data in the database:

<img width="944" height="432" alt="image" src="https://github.com/user-attachments/assets/bd5ecc87-ba9c-43f0-b196-91062b9c395a" />

Figure 4: The request and response after sending the SQL injection payload
This payload can be modified to executes SQL commands in the TSDB.

<img width="944" height="425" alt="image" src="https://github.com/user-attachments/assets/70c3c88e-9ed6-4542-bfb4-e77abb002c15" />

Figure 5: SQL injection used to execute arbitrary SQL command
The user can then delete all the historical data in the database:

<img width="944" height="496" alt="image" src="https://github.com/user-attachments/assets/f2dc1fa6-5fe0-4232-867a-a65776f108ee" />

Figure 6: Example payload dropping the tables

Steps to Reproduce

  1. Capture a JSON-RPC request to the get_tlm_values endpoint.
  2. Add the start_time key to the request body and place the following in the value:
‘ OR 1=1 --
  1. Retrieve all database data.

Recommendations

• Sanitize all user-supplied input before executing it
• Use prepared statements with parameterized queries when executing SQL statements

Basic information

Type
reviewed
Severity
critical
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-23 14:12:02 UTC
Updated
2026-05-29 21:46:52 UTC
GitHub reviewed
2026-04-23 14:12:02 UTC
NVD published
2026-05-04

EPSS Score

Score Percentile
0.03% 7.67%

CVSS Scores

Base score Version Severity Vector
9.6 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Credits

  • suffs811 (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
rubygems openc3 >= 6.7.0, < 7.0.0-rc3 7.0.0-rc3

References

cvelogic Threat Intelligence