HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41010Published Modified CNA vmware

CVE-2026-41010: ReleaseJob#unpack builds job_dir = File

ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', name) and job_tgz = File.join(@release_dir, 'jobs', "#{name}.tgz") where name returns @job_meta['name'], a value taken verbatim from the jobs: array of the attacker-supplied release.MF inside the uploaded tarball. These paths are then interpolated into a shell string: Bosh::Common::Exec.sh("tar -C #{job_dir} -xf #{job_tgz} 2>&1", :on_error => :return). Bosh::Common::Exec.sh executes via %x{#{command}} (bosh-common/lib/bosh/common/exec.rb:53), i.e. /bin/sh -c, so any shell metacharacters in name are interpreted. FileUtils.mkdir_p(job_dir) on line 49 creates the literal directory (no shell) and succeeds even when the name contains $()/;, so execution reaches the sh call. Affected versions: - BOSH Director: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
282.1.12
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A command injection vulnerability exists in BOSH Director (Cloud Foundry Foundation) versions prior to 282.1.12. When a user uploads a specially crafted BOSH release tarball, the job name field from the release manifest is passed unsanitized into a shell command executed by the Director, allowing shell metacharacters to be interpreted by /bin/sh. The attacker must hold an admin-level account on the Director to upload releases, but successful exploitation gives full read, write, and availability impact on both the Director and any systems it manages. A patched-image rebuild at version 282.1.12 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-41010 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built BOSH Director images. Coverage extends to any image derived from an affected BOSH Director base layer.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.7 (High, CVSS v4.0) and weighting it against each environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at BOSH Director version 282.1.12 becomes available through HarborGuard once the fix version is confirmed in the upstream feed. For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host, or access to the Director's API from the local system; no over-the-network exposure is required per AV:L.

  • AuthenticationRequired

    An admin or privileged Director account is required to upload a BOSH release tarball; any lower-privilege credential is not sufficient (PR:H).

  • Victim interactionNot required

    No action from another user or operator is needed to trigger the vulnerable code path once the malicious release is uploaded (UI:N).

  • Attack complexityDetail

    Exploitation requires specific preconditions to align, such as timing or environmental factors, making reliable exploitation harder than a condition-free attack (AC:H, AT:P).

Blast Radius

  • An attacker can read arbitrary files on the BOSH Director host, including credentials, release metadata, and internal configuration (VC:H).
  • An attacker can write or modify files on the Director host and on systems the Director manages, including deployment manifests and job configurations (VI:H, SI:H).
  • An attacker can crash or render unavailable the Director process and the systems it controls, disrupting ongoing deployments and managed VMs (VA:H, SA:H).
  • Because the Director orchestrates infrastructure-level operations, lateral movement to managed BOSH-deployed VMs and their workloads is achievable from the initial foothold.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41010 is matched against customer images within minutes of publication, including custom BOSH Director images. Where compliance policy permits auto-remediation, HarborGuard can rebuild affected images at version 282.1.12, run regression tests, and open a pull request against the affected workload repositories; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the rebuild artifact at 282.1.12 is made available for manual promotion. Until the patched image is deployed, recommended compensating controls include restricting Director API access to a tightly scoped network policy, limiting release-upload permissions to the smallest possible set of accounts, and auditing uploaded release manifests for unexpected job name values.

See how HarborGuard automates this

Fix available

282.1.12
Affected packages
  • Cloud Foundry Foundation / BOSH Director
    < 282.1.12 (from 0)
CVSS Vector
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References