Local Authentication Bypass in BOSH Affects Cloud Foundry Users
CVE-2026-41860

7.1HIGH

Key Information:

Status
Vendor
CVE Published:
4 June 2026

What is CVE-2026-41860?

A vulnerability in BOSH allows local attackers to exploit hardcoded SSL verification settings, leading to potential interception of Basic-auth credentials and token requests. This could facilitate man-in-the-middle (MITM) attacks, exposing sensitive authentication data. Users are encouraged to upgrade to BOSH version 282.1.9 or later to mitigate this risk and ensure secure communications.

Affected Version(s)

BOSH 0 < 282.1.9

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.