CVE-2026-41013: Tenant-controlled comma smuggles arbitrary CIFS mount options

Synopsis

An input validation bypass in CloudFoundry Foundation's diego-release (smb-volume-release and CF Deployment) allows a low-privileged CF space developer to inject arbitrary kernel CIFS mount options by smuggling extra values past the mount-option allowlist using comma characters. The vulnerability is reachable over the network and requires only a low-privilege account, with no victim interaction needed. Successful exploitation lets an attacker escalate privileges and bypass security controls on shared Diego cells, reading sensitive data and tampering with persisted state. Patched-image rebuilds at smb-volume-release 3.60.0 and CF Deployment 56.0.0 are available on HarborGuard for affected environments.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The attacker must reach the CloudFoundry API or CF space endpoints over the network to submit a crafted SMB volume mount request.

• AuthenticationRequired

  Any low-privilege CF space developer account is sufficient; no administrative credentials are needed.

• Victim interactionNot required

  The attacker acts entirely through their own API calls and does not need another user to take any action.

• Attack complexityDetail

  The exploit is reliable and condition-free; no race condition or specific memory layout is required to smuggle the comma-delimited mount options.

Blast Radius

• Reads sensitive files and credentials accessible to other tenants on the shared Diego cell by injecting mount options that bypass isolation controls.
• Modifies kernel-level CIFS mount behavior to redirect or tamper with shared volume data belonging to other CF applications on the same cell.
• Bypasses security controls enforced by the mount-option allowlist, enabling privilege escalation on the multi-tenant host.
• Does not directly crash the affected service (availability impact is rated None in the CVSS vector).