Input Validation Bypass in CloudFoundry Diego-Release Affecting SMB Volume Management
CVE-2026-41013

Currently unrated

Key Information:

Vendor: Cloudfoundry Foundation
Status: Smb-volume-release; Cf Deployment
Vendor: CVE Published:; 1 June 2026

🔔 Create Cloudfoundry Foundation Vulnerability Alert

What is CVE-2026-41013?

A vulnerability has been identified in the SMB volume mount handling within CloudFoundry's Diego-Release, where inadequate input validation allows low-privileged Cloud Foundry space developers to inject arbitrary kernel CIFS mount options. This exploit bypasses the intended mount-option allowlist, posing significant security risks such as privilege escalation and potential security control violations on multi-tenant Diego cells. Organizations using versions prior to smb-volume-release v3.60.0 and CF Deployment v56.0.0 are particularly at risk.

Affected Version(s)

CF Deployment 0 < 56.0.0

smb-volume-release 0 < 3.60.0

References

https://www.cloudfoundry.org/blog/cve-2026-41013-tenant-c...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41013 Data

JSON