CVE-2026-41859

HIGH

Cloud Foundry Foundation Bosh < 282.1.9 - Improper Certificate Validation

Title source: rule

Description

A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client secret) and can tamper with the VM list that is written into the NATS authorization file. Stolen credentials grant administrative director access. UsersSync#bosh_api_response_body builds a Net::HTTP client with verify_mode = OpenSSL::SSL::VERIFY_NONE for every director call (/info, /deployments, /deployments/<name>/vms). Affected versions: - BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later

References (1)

Core 1

Core References

https://www.cloudfoundry.org/blog/cve-2026-41859-missing-tls-in-nats-sync/

Scores

CVSS v3 7.8

EPSS 0.0010

EPSS Percentile 1.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-295

Status published

Products (1)

Cloud Foundry Foundation/BOSH < 282.1.9

Published Jun 04, 2026

Tracked Since Jun 04, 2026