Local Blobstore Issues in BOSH Director by Cloud Foundry
CVE-2026-41009

4.3MEDIUM

Key Information:

Vendor: Cloud Foundry Foundation
Status: Bosh Director
Vendor: CVE Published:; 27 May 2026

🔔 Create Cloud Foundry Foundation Vulnerability Alert

What is CVE-2026-41009?

A vulnerability exists within Cloud Foundry's BOSH Director where improper handling of agent replies during long-running requests can lead to arbitrary file reads and deletes in the local blobstore. The system's failure to normalize file paths allows attackers to access sensitive configuration files outside the designated blobstore root by manipulating request parameters. This could result in unauthorized access to crucial system data, emphasizing the importance of applying the recommended security patches.

Affected Version(s)

BOSH Director 0 < 282.1.12

References

https://www.cloudfoundry.org/blog/cve-2026-41009-local-bl...

CVSS V4

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41009 Data

JSON