Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2026-41857 – BOSH CLI Shell Injection

Severity

High

CVSSv4: High 7.1(CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)CVSSv3: High 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Vendor

CloudFoundry BOSH

Versions Affected

*Severity is High unless otherwise noted.

BOSH CLI

– All versions prior to 7.10.5 (inclusive)

Description

A compromised or malicious BOSH Director can execute arbitrary shell commands on the operator’s workstation when the operator runs bosh ssh (or bosh scp/bosh logs -f) with default flags.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

BOSH CLI

– Upgrade BOSH CLI versions to 7.10.5 or greater

Credit

This issue was responsibly reported by VMware Tanzu by Broadcom .

History

July 8th: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES