Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2026-41010 – Release Job Name Command Injection on BOSH Director

by: June 2, 2026

Severity

CVSSv4: High 8.7 

CVSS:4.0: (/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
CVSSv3: High 8.2 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Vendor

Cloud Foundry Foundation

Versions Affected

*Severity is HIGH unless otherwise noted.

BOSH Director

– All versions prior to v282.1.12 

Description

ReleaseJob#unpack builds job_dir = File.join(@release_dir, ‘jobs’, name) and job_tgz = File.join(@release_dir, ‘jobs’, “#{name}.tgz”) where name returns @job_meta[‘name’], a value taken verbatim from the jobs: array of the attacker-supplied release.MF inside the uploaded tarball. These paths are then interpolated into a shell string: Bosh::Common::Exec.sh(“tar -C #{job_dir}-xf #{job_tgz} 2>&1”, :on_error => :return). Bosh::Common::Exec.sh executes via %x{#{command}} (bosh-common/lib/bosh/common/exec.rb:53), i.e. /bin/sh -c, so any shell metacharacters in name are interpreted. FileUtils.mkdir_p(job_dir) on line 49 creates the literal directory (no shell) and succeeds even when the name contains $()/;, so execution reaches the sh call. 

Exploit scenario 

Attacker with bosh.releases.upload crafts a release tarball whose release.MF contains jobs: [ {name: “x$(bash -c ‘id>/tmp/pwn’)”, version: “1”, sha1: “…”, fingerprint: “…”}] and includes a matching jobs/x$(bash -c ‘id>/tmp/pwn’).tgz entry (tar entry names may contain $() characters). They POST /releases (multipart upload). The async Jobs::UpdateRelease worker extracts the tarball, parses release.MF, iterates new jobs, and calls ReleaseJob#update unpack. The shell evaluates the $(…) substitution before invoking tar, executing the attacker’s command on the BOSH director VM. 

Preconditions 

  • Authenticated user with bosh.releases.upload (or 

bosh.<env>.releases.upload / bosh.admin) scope

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

BOSH Director

– Upgrade BOSH Director versions to v282.1.12  or greater

Immediate Workarounds:

  1. Restrict bosh.releases.upload scope to only highly trusted users
  2. Implement additional monitoring of release upload activities
  3. Consider network isolation of BOSH Director from less trusted networks
  4. Audit existing accounts with upload permissions

Credit

n/a

History

Initial vulnerability report published Jun 2, 2026

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-2961-1 Little CMS vulnerability
Security Advisory

USN-2961-1 Little CMS vulnerability

by Cloud Foundry Foundation Security Team June 13, 2016
USN-5743-2: LibTIFF vulnerability
Security Advisory

USN-5743-2: LibTIFF vulnerability

by Cloud Foundry Foundation Security Team December 7, 2022
Redis LUA Exploit
Security Advisory

Redis LUA Exploit

by Cloud Foundry Foundation Security Team June 9, 2015
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept