CVE-2026-41860

7.1HIGH

Key Information:

Vendor: Cloud Foundry Foundation
Status: Bosh
Vendor: CVE Published:; 4 June 2026

🔔 Create Cloud Foundry Foundation Vulnerability Alert

What is CVE-2026-41860?

CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA and steal credentials.

Affected versions:

BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later

Affected Version(s)

BOSH 0 < 282.1.9

References

https://www.cloudfoundry.org/blog/cve-2026-41860-missing-...

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41860 Data

JSON