Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2026-47828 – Missing TLS Certificate Verification in BOSH CLI Allows Root Code Execution via Man-in-the-Middle Credential Replay

Severity

CVSS Score: High 8.9 (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSSv3: High 7.1 (CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Vendor

BOSH-Ecosystem / BOSH (bosh-cli)

Versions Affected

*Severity is High unless otherwise noted.

bosh-cli

– All versions prior to v7.10.4

Description

During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM’s DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint is available in the installation manifest. A network attacker can terminate the TLS connection, harvest the Basic-auth credentials, and read the rendered-templates archive containing every bootstrap secret for the new BOSH Director — then replay the credentials against the real VM’s agent for root code execution. 

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

bosh-cli

– Upgrade bosh-cli to v7.10.4 or greater

Credit

This issue was responsibly reported by VMware Tanzu by Broadcom.

History

July 8th: Initial vulnerability report published.

 

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES