Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2026-41013 – Tenant-controlled comma smuggles arbitrary CIFS mount options

by: June 1, 2026

Severity

HIGH

CVSS 3.1 Score: 8.5

Vendor

CloudFoundry Foundation

Versions Affected

*Severity is HIGH unless otherwise noted.

smb-volume-release

– All versions prior to v3.60.0

CF Deployment  

– All versions prior to v56.0.0

Description

Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privilege escalation and security control bypass on multi-tenant Diego cells.

The vulnerability exists in the SMB mount-option validation logic where a CF space developer can craft malicious mount options that bypass the intended allowlist. This allowlist serves as the primary security boundary between tenant-controlled “harmless SMB configuration” and dangerous root filesystem mount operations on shared Diego infrastructure. 

Once the allowlist is bypassed, the attacker gains control over all mount.cifs options, allowing them to:

– Weaken mount security posture by injecting options like `setuids`, `noperm`, `nounix`

– Manipulate credentials via `cruid=` and `credentials=/path/on/host` parameters  

– Override security protocols using `sec=` option

– Apply other mount configurations that operators explicitly intended to forbid

This can lead to privilege escalation, unauthorized file system access, and compromise of the multi-tenant security model on Diego cells.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

smb-volume-release

– Upgrade smb-volume-release versions to v3.60.0 or greater

CF Deployment

– Upgrade cf-deployment version to v56.0.0 or greater

    – Includes smb-volume-release v3.60.0

Immediate Workarounds:

– Disable SMB volume mounting for CF space developers

– Restrict SMB volume operations to platform operators only

– Audit existing SMB mounts created by space developers

– Implement additional network-level controls around Diego cells

Credit

n/a

History

June 1st: Initial vulnerability report published

 

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-4132-1: Expat vulnerability
Security Advisory

USN-4132-1: Expat vulnerability

by Cloud Foundry Foundation Security Team September 30, 2019
USN-5051-3: OpenSSL vulnerability
Security Advisory

USN-5051-3: OpenSSL vulnerability

by Cloud Foundry Foundation Security Team October 28, 2021
USN-3304-1: Sudo vulnerability
Security Advisory

USN-3304-1: Sudo vulnerability

by Cloud Foundry Foundation Security Team June 12, 2017
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept