Man-in-the-middle Vulnerability in BOSH by Cloud Foundry
CVE-2026-41859

7.1HIGH

Key Information:

Status
Vendor
CVE Published:
4 June 2026

What is CVE-2026-41859?

A critical security vulnerability in Cloud Foundry's BOSH allows a man-in-the-middle attacker to intercept communications between nats-sync and the BOSH director. This enables the theft of sensitive director credentials, such as Basic authentication headers or UAA client secrets. Additionally, the attacker can manipulate the VM list stored in the NATS authorization file, leading to potential unauthorized administrative access. The issue stems from the construction of a Net::HTTP client that disables SSL verification for all director API calls, exposing the system to risks. Users are urged to upgrade to BOSH version 282.1.9 or later to mitigate this security flaw.

Affected Version(s)

BOSH 0 < 282.1.9

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.