Man-in-the-middle Vulnerability in BOSH by Cloud Foundry
CVE-2026-41859
7.1HIGH
What is CVE-2026-41859?
A critical security vulnerability in Cloud Foundry's BOSH allows a man-in-the-middle attacker to intercept communications between nats-sync and the BOSH director. This enables the theft of sensitive director credentials, such as Basic authentication headers or UAA client secrets. Additionally, the attacker can manipulate the VM list stored in the NATS authorization file, leading to potential unauthorized administrative access. The issue stems from the construction of a Net::HTTP client that disables SSL verification for all director API calls, exposing the system to risks. Users are urged to upgrade to BOSH version 282.1.9 or later to mitigate this security flaw.
Affected Version(s)
BOSH 0 < 282.1.9
