Shell Injection Vulnerability in BOSH CLI by Cloud Foundry
CVE-2026-41857

7.1HIGH

Key Information:

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-41857?

A security vulnerability in BOSH CLI enables a compromised BOSH Director to execute arbitrary shell commands on an operator's workstation when commands such as bosh ssh, bosh scp, or bosh logs -f are run with default settings. This could lead to significant security risks if an attacker can manipulate the environment or the command being executed, particularly on systems running vulnerable versions prior to 7.10.5.

Affected Version(s)

BOSH CLI 0 < 7.10.5

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

CVSS V3.0

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.