Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2026-47826 – blobs.yaml Path Traversal Allows File Writes

Severity

HIGH

CVSSv4: High 8.5 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)
CVSSv3: High 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) 

Vendor

CloudFoundry Foundation

Versions Affected

*Severity is HIGH unless otherwise noted.

BOSH CLI tool

– All versions prior to v7.10.4

Description

The `blobs.yml` path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

BOSH CLI tool

– Upgrade BOSH CLI tool versions to v7.10.4 or greater

Credit

This issue was responsibly reported by VMware Tanzu by Broadcom.

History

July 8th: Initial vulnerability report published.

 

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES