Private Key Exposure in Cloud Foundry UAA Versions
CVE-2026-40965

10CRITICAL

Key Information:

Vendor: Cloud Foundry Foundation
Status: Uaa Release; Cf Deployment
Vendor: CVE Published:; 1 June 2026

🔔 Create Cloud Foundry Foundation Vulnerability Alert

What is CVE-2026-40965?

Cloud Foundry UAA versions ranging from v76.12.0 to v78.12.0 are affected by a serious security issue that inadvertently exposes EC (Elliptic Curve) private keys through the public /token_keys endpoint. This endpoint, intended for providing public key material for JWT token verification, has been misconfigured, allowing sensitive private key components to be revealed. This vulnerability specifically impacts deployments that utilize EC keys for signing JWT tokens and does not affect those configured with RSA keys. It is crucial for users of the affected versions to update to v78.13.0 or later for mitigation, as well as ensuring that CFDeployment versions are upgraded to v56.1.0 or beyond.

Affected Version(s)

CF Deployment 30.0.0 < 56.1.0

uaa_release 76.12.0 < 78.13.0

References

https://www.cloudfoundry.org/blog/cve-2026-40965-uaa-ec-p...

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40965 Data

JSON