HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41723Published Modified CNA vmware

CVE-2026-41723: VMSA-2026-0004: VMware Cloud Foundation Operations updates address multiple vulnerabilities (CVE-2026-41722, CVE-2026-41723 and CVE-2026-41724)

VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.

Metrics

CVSS v3.1
8.0
Severity
HIGH
Fixed in
Affected Products
3

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) vulnerabilities affect VMware Cloud Foundation Operations, VMware Aria Operations, and VMware Telco Cloud Platform. An authenticated attacker with low-level privileges can reach the flaw over the network by injecting malicious scripts into policies, views, or text widgets; the injected script executes when a victim visits the affected page. Successful exploitation gives the attacker full administrative control over the Operations environment, including the ability to read, modify, or destroy data. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-41723 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in registries and CI/CD pipelines, including custom-built images derived from affected VMware base layers.

Available
Triage

Triage is available using the CVSS v3.1 score of 8.0 (HIGH), weighted against each customer organization's compliance policy to determine urgency and routed to the appropriate team inbox within that org.

Available
Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment VMware releases an upstream fix. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the VMware Cloud Foundation Operations web interface over the network to deliver the injected script payload.

  • AuthenticationRequired

    A low-privilege account with rights to create policies, views, or text widgets is sufficient; no administrative credentials are needed to plant the payload.

  • Victim interactionRequired

    A higher-privileged user (such as an administrator) must visit the page containing the injected script for the payload to execute in their browser session.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental pre-conditions beyond the attacker holding a qualifying account.

Blast Radius

  • Reads session tokens and authentication credentials of the victim user, potentially including administrative accounts.
  • Performs administrative actions within VMware Cloud Foundation Operations on behalf of the victim, such as modifying configurations or access-control policies.
  • Exfiltrates sensitive operational data visible to the hijacked session, including infrastructure topology and monitoring data.
  • Disrupts or tampers with platform management by altering or deleting policies, views, and widget configurations under the victim's privileges.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against affected image versions as soon as it enters the feed, and triage findings are surfaced in each customer environment according to its compliance policy weighting. Because VMware has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-checks the advisory on every ingest cycle and will trigger the rebuild-and-PR flow the moment an upstream fix is published; for customers with auto-remediation enabled, that means a rebuilt image, regression test run, and pull request opened against affected workloads without manual steps. In the meantime, compensating controls worth evaluating include network-policy rules that restrict access to the Operations UI to trusted internal IP ranges, egress filtering to limit what an injected script can reach, and auditing which accounts hold policy, view, or text-widget creation rights to reduce the number of principals who can plant a payload.

See how HarborGuard automates this
Affected packages
  • VMware / VCF operations
    ≤ 9.1.0.0 · ≤ 9.0.2.0 EP2 · ≤ 8.18.7
  • VMware / VMware Aria Operations
    ≤ 8.18.6 · ≤ 8.18.7
  • VMware / VMware Telco Cloud Platform
    ≤ 8.18.7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
References