Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2026-47831 – Cryptographically Weak Password Generation in bosh-windows-stemcell-builder Allows Remote SSH Brute-Force Attacks

Severity

High 

CVSSv4: High 7.7 (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

CVSSv3: High 7.5 (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Cloud Foundry Foundation

Versions Affected

*Severity is High unless otherwise noted.

bosh-windows-stemcell-builder

– All versions prior to v2019.98

Description

Use of Cryptographically Weak Random Number Generator in GenerateRandomPassword function in bosh-windows-stemcell-builder allows remote attacker to brute-forceable SSH login via TCP/22.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry Foundation recommends upgrading the following releases:

bosh-windows-stemcell-builder

– Upgrade to v2019.98 or later

Credit

This issue was responsibly reported by VMware Tanzu by Broadcom.

History

Jul 8, 2026: Initial vulnerability report published.

 

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES