HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-40965Published Modified CNA vmware

CVE-2026-40965: Cloud Foundry UAA versions v76

Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC (Elliptic Curve) private keys are inadvertently exposed through the public /token_keys endpoint. This endpoint is designed to provide public key material for JWT token verification but incorrectly exposes private key components for EC keys. The vulnerability affects deployments using EC keys for JWT token signing. The vulnerability does not affect RSA key configurations, only deployments using EC keys for JWT signing. Affected versions: - uaa_release: v76.12.0 through v78.12.0 (inclusive); fixed in v78.13.0 or later - CF Deployment: v30.0.0 through v56.0.0 (inclusive); fixed in v56.1.0 or later (bundles uaa_release v78.13.0)

Metrics

CVSS v4.0
10.0
Severity
CRITICAL
Fixed in
56.1.0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a private key exposure vulnerability in Cloud Foundry UAA versions v76.12.0 through v78.12.0. The server's public /token_keys endpoint, which is intended to serve only public key material for JWT verification, incorrectly returns EC (Elliptic Curve) private key components when EC keys are configured for JWT signing. An unauthenticated attacker reachable over the network can retrieve the private key and use it to forge arbitrary JWT tokens, gaining unauthorized access to any resource that trusts tokens signed by the affected UAA instance. Patched-image rebuilds at uaa_release v78.13.0 and CF Deployment v56.1.0 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-40965 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle affected UAA versions. The capability covers both uaa_release and CF Deployment packaging lineages so no affected variant is missed.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 severity of 10.0 (Critical) and weighting that score against each customer organization's compliance policy to determine breach-of-threshold status. Triage findings are routed to the inbox configured for the relevant team inside each customer org, prioritized by policy.

Available
Patch

A patched-image rebuild at uaa_release v78.13.0 or CF Deployment v56.1.0 becomes available on HarborGuard once the fixed base image is resolvable from the upstream release. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs the regression test suite, and opens a PR against affected workloads; where compliance policy permits, median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable /token_keys endpoint is an HTTP service exposed over the network, so the attacker must be able to reach it remotely.

  • AuthenticationNot required

    The endpoint is publicly accessible with no credentials required, matching PR:N in the CVSS vector.

  • Victim interactionNot required

    No user action is needed; the attacker queries the endpoint directly without any social-engineering step, matching UI:N.

  • Attack complexityDetail

    Exploit conditions are reliable and free of environmental dependencies (AC:L, AT:N); retrieving the private key is a single unauthenticated HTTP request with no race conditions or special timing required.

Blast Radius

  • Attacker retrieves the EC private key used to sign JWT tokens for the UAA instance.
  • Attacker forges arbitrary JWT tokens, impersonating any user or service account including platform administrators.
  • Attacker gains full read and write access to Cloud Foundry platform resources and any application or service authorized by tokens issued from the compromised UAA (SC:H, SI:H).
  • Service availability is partially degraded (VA:L, SA:L), but the primary risk is complete confidentiality and integrity compromise of the identity plane.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-40965 is active across ingestion pipelines and will flag any image containing uaa_release v76.12.0 through v78.12.0 or CF Deployment v30.0.0 through v56.0.0. Given the CVSS 10.0 Critical rating and the zero-interaction, network-reachable attack path, this CVE is surfaced at the highest priority tier in compliance policy evaluation. For customers who opt into auto-remediation, HarborGuard will rebuild the affected image at uaa_release v78.13.0 or CF Deployment v56.1.0, run the configured regression suite, and open a PR against affected workloads; median time from publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments not yet using EC keys for JWT signing, no immediate action is required, but rotation to a patched release is still recommended to prevent future exposure if key configuration changes. Customers who cannot immediately patch should consider restricting network access to the /token_keys endpoint at the ingress or network-policy layer as a compensating control until the rebuilt image is deployed.

See how HarborGuard automates this

Fix available

56.1.078.13.0
Affected packages
  • Cloud Foundry Foundation / uaa_release
    < 78.13.0 (from 76.12.0)
  • Cloud Foundry Foundation / CF Deployment
    < 56.1.0 (from 30.0.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
References