Vulnerability in BOSH CLI Affects Deployment Security
CVE-2026-47828
8.9HIGH
Key Information:
- Status
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-47828?
The BOSH CLI mistakenly fails to verify server certificates during the upload of CPI packages and job templates to the VM's DAV blobstore via HTTPS. This oversight exposes the system to network attacks, allowing attackers to intercept TLS connections. They can obtain Basic-auth credentials and access sensitive bootstrap secrets stored in rendered templates, leading to potential root code execution on the BOSH Director. Users of bosh-cli versions earlier than v7.10.4 are particularly at risk and must take action to mitigate this vulnerability.
Affected Version(s)
bosh-cli 0 < 7.10.4
References
CVSS V4
Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown
CVSS V3.0
Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
