Vulnerability in BOSH CLI Affects Deployment Security
CVE-2026-47828

8.9HIGH

What is CVE-2026-47828?

The BOSH CLI mistakenly fails to verify server certificates during the upload of CPI packages and job templates to the VM's DAV blobstore via HTTPS. This oversight exposes the system to network attacks, allowing attackers to intercept TLS connections. They can obtain Basic-auth credentials and access sensitive bootstrap secrets stored in rendered templates, leading to potential root code execution on the BOSH Director. Users of bosh-cli versions earlier than v7.10.4 are particularly at risk and must take action to mitigate this vulnerability.

Affected Version(s)

bosh-cli 0 < 7.10.4

References

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

CVSS V3.0

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.