HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-40964Published Modified CNA vmware

CVE-2026-40964: Authentication Bypass in cf-auth-proxy in Cloud Foundry Foundation all installations allows an unauthenticated remote attacker to gain read access to every log and metric for every application and platform component via minting a JWT that the cf-auth-proxy accepts as a valid logs

Authentication Bypass in cf-auth-proxy in Cloud Foundry Foundation all installations allows an unauthenticated remote attacker to gain read access to every log and metric for every application and platform component via minting a JWT that the cf-auth-proxy accepts as a valid logs.admin token. Affected versions: - log-cache_release: all versions through v3.2.6 (inclusive); fixed in v3.2.7 or later - CF Deployment: all versions through v55.?.0 (inclusive); fixed in v55.?.0 or later (bundles log-cache_release v3.2.7)

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in the cf-auth-proxy component of Cloud Foundry Foundation allows an unauthenticated remote attacker to forge a JWT token that cf-auth-proxy accepts as a valid logs.admin credential. The component is reachable over the network and requires no prior authentication or user interaction. Successful exploitation gives the attacker read access to every application log and platform metric across all applications and infrastructure components. Note: The affected versions section references fix versions (log-cache_release v3.2.7), but no official fix release has been confirmed by the CNA at the time of publication; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-40964 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle cf-auth-proxy or log-cache_release components. Any image carrying an affected version of log-cache_release (v3.2.6 or earlier) is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

Triage is available using the CVSS v3.1 base score of 7.5 (HIGH), with per-environment compliance policy weighting applied so teams operating under stricter confidentiality requirements receive appropriately elevated priority. Findings are routed to the team inbox configured for each customer org based on image ownership and policy assignment.

Available
Patch

Because no official fix version has been confirmed by the upstream CNA at this time, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is published. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically once a confirmed fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the cf-auth-proxy service over the network; the component is internet- or network-exposed (AV:N).

  • AuthenticationNot required

    No credentials or existing account are needed; the attacker bypasses authentication entirely by minting a forged JWT (PR:N).

  • Victim interactionNot required

    The exploit requires no action from any user or operator; the attacker interacts directly with the service (UI:N).

  • Attack complexityDetail

    Exploit conditions are reliable and free of environmental dependencies; no race conditions or special configurations are required to trigger the bypass (AC:L).

Blast Radius

  • The attacker reads all application logs across every application hosted on the Cloud Foundry platform, potentially exposing credentials, session tokens, debug output, and business data written to stdout or stderr.
  • The attacker reads all platform component metrics, revealing internal service topology, resource utilization patterns, and operational state that can be used for reconnaissance of the broader infrastructure.
  • No data modification or service disruption is enabled by this vulnerability; impact is limited to confidentiality (I:N, A:N).

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-40964 is active and matches any image containing log-cache_release v3.2.6 or earlier. Because no upstream fix release has been confirmed by the CNA at publication time, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a confirmed fix version is published. For customers who opt into auto-remediation, the full flow (rebuild, regression run, PR opened against affected workloads) triggers automatically without manual intervention. In the interim, compensating controls worth considering include network-policy isolation that restricts inbound access to the cf-auth-proxy endpoint to known internal CIDRs, egress filtering to limit what the proxy can reach if compromised, and review of any logs.admin-scoped access grants in your CF environment to reduce the value of the exposed data. Customers whose compliance policies flag HIGH-severity confidentiality findings for immediate escalation will see this CVE routed accordingly in their HarborGuard inbox.

See how HarborGuard automates this
Affected packages
  • Cloud Foundry Foundation / log-cache_release
    ≤ 3.2.6
  • Cloud Foundry Foundation / CF Deployment
    ≤ 55.?.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:X/RC:X/CR:M/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:N/MA:N
References