CVE-2026-41860

Summary

CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA and steal credentials.

Affected versions:

  • BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later

Affected Software

VendorProductVersion RangeStatus
Cloud Foundry FoundationBOSH0 < 282.1.9affected

Weaknesses

  • CWE-326: CWE-326: Inadequate Encryption Strength

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References