Arbitrary Blobstore Deletion Risk in BOSH Director by Cloud Foundry
CVE-2026-41704

6.8MEDIUM

Key Information:

Vendor: Cloud Foundry Foundation
Status: Bosh Director
Vendor: CVE Published:; 27 May 2026

🔔 Create Cloud Foundry Foundation Vulnerability Alert

What is CVE-2026-41704?

The vulnerability arises from how the AgentClient handles NATS replies. It processes every response, calling 'inject_compile_log' on each one, and retrieves the 'compile_log_id' for resource deletion. Furthermore, any response with 'exception' triggers the 'format_exception' function, which reads an exception ID and also initiates the blob deletion process. The method used to delete resources does not implement checks for ownership or proper identifier format, creating a critical loophole where compromised VMs can execute arbitrary deletions from the shared blobstore in BOSH Director.

Affected Version(s)

BOSH Director 0 < 282.1.12

References

https://www.cloudfoundry.org/blog/cve-2026-41704-compromi...

CVSS V4

Score:

6.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41704 Data

JSON