HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41011Published Modified CNA vmware

CVE-2026-41011: PackagePersister

PackagePersister.validate_tgz builds "tar -tf #{tgz} 2>&1" where tgz = File.join(release_dir, 'packages', "#{name}.tgz") and name = package_meta['name'] comes directly from release.MF inside the uploaded tarball. The string is passed to Bosh::Common::Exec.sh, which executes via %x{} — i.e., /bin/sh -c. No Shellwords.escape is applied. The Models::Package Sequel validation (VALID_ID = /^[-0-9A-Za-z_+.]+$/i) would reject the name, but in create_package (lines 74–79) the shell-out in save_package_source_blob runs before package.save, so validation fires too late. Affected versions: - BOSH: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
282.1.12
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an OS command injection vulnerability in the BOSH release-upload pipeline, specifically in the PackagePersister component of Cloud Foundry BOSH versions prior to 282.1.12. An attacker with admin-level access to the BOSH director can upload a crafted release tarball containing a malicious package name inside release.MF; that name is interpolated unsanitized into a shell command, giving the attacker arbitrary command execution on the director host. The Sequel model validation that would catch the bad name runs after the dangerous shell-out, so it provides no protection. A patched-image rebuild at version 282.1.12 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-41011 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built BOSH director images. Custom images derived from affected base layers are covered by the same matching pass.

Available
Triage

HarborGuard scores this finding at CVSS 4.0 8.7 (HIGH) and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at BOSH 282.1.12 becomes available through HarborGuard once the fix version is confirmed in upstream metadata. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host, or authenticated access to the BOSH director API; no over-the-network unauthenticated path is required.

  • AuthenticationRequired

    An admin or privileged account on the BOSH director is needed to upload a release tarball and trigger the vulnerable code path.

  • Victim interactionNot required

    No victim interaction is required; the attacker triggers the shell injection directly by uploading the crafted release.

  • Attack complexityDetail

    Exploitation depends on specific preconditions including privileged access and the ability to supply a crafted release archive, making reliable exploitation conditional on environmental factors.

Blast Radius

  • Reads sensitive files and secrets accessible to the BOSH director process, including deployment credentials and cloud-provider keys stored on the host.
  • Modifies or deletes persisted deployment state, release blobs, and configuration data managed by the director.
  • Crashes or disrupts the BOSH director service, preventing deployments and updates across all managed infrastructure.
  • Pivots to connected cloud infrastructure components by leveraging credentials and network access available to the compromised director host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41011 is active across connected registries and pipelines the moment the CVE is ingested. For environments running a BOSH director image prior to 282.1.12, a rebuild at the fixed version is available. Where compliance policy permits auto-remediation, HarborGuard will rebuild the image at 282.1.12, run a regression test pass, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Given the HIGH severity and the combination of full confidentiality, integrity, and availability impact across both the vulnerable component and downstream scoped components, prioritizing this rebuild is advisable for any environment where the BOSH director image has not already been updated.

See how HarborGuard automates this

Fix available

282.1.12
Affected packages
  • Cloud Foundry Foundation / BOSH
    < 282.1.12 (from 0)
CVSS Vector
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References