HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41859Published Modified CNA vmware

CVE-2026-41859: A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client secret) and can tamper with the VM list that is written into the NATS authorization file

A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client secret) and can tamper with the VM list that is written into the NATS authorization file. Stolen credentials grant administrative director access. UsersSync#bosh_api_response_body builds a Net::HTTP client with verify_mode = OpenSSL::SSL::VERIFY_NONE for every director call (/info, /deployments, /deployments/<name>/vms). Affected versions: - BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later

Metrics

CVSS v4.0
7.1
Severity
HIGH
Fixed in
282.1.9
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a credential-theft and data-tampering vulnerability in the BOSH nats-sync component, caused by disabled TLS certificate verification. The nats-sync process builds its HTTPS client with certificate verification turned off (VERIFY_NONE), meaning any attacker with a position between nats-sync and the BOSH director on the network can intercept traffic without detection. Successful exploitation lets an attacker steal BOSH director credentials (Basic auth header or UAA client secret) and tamper with the VM list written into the NATS authorization file, potentially gaining full administrative access to the director. A patched-image rebuild at version 282.1.9 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-41859 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in registries and CI/CD pipelines, including custom-built images that bundle affected BOSH releases.

Available
Triage

HarborGuard scores this finding at CVSS 7.1 (HIGH) and weights it against each environment's compliance policy before routing the alert to the appropriate team inbox within the customer org.

Available
Patch

A patched-image rebuild at BOSH version 282.1.9 is available on HarborGuard for any environment running an affected release. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host, or a position on a network path between nats-sync and the BOSH director; no remote internet exposure is required.

  • AuthenticationRequired

    A low-privilege account on the host or network segment is sufficient to position the attacker for interception.

  • Victim interactionNot required

    No action from an operator or end user is needed; exploitation occurs passively during normal nats-sync-to-director API calls.

  • Attack complexityDetail

    While the exploit itself is straightforward once positioned, the attacker requires a specific precondition: an adjacent network position or host access to intercept the unverified TLS connection (AT:P in the CVSS vector).

Blast Radius

  • Reads the BOSH director Basic auth header or UAA client secret in plaintext from intercepted HTTP traffic, granting full administrative director access.
  • Modifies the VM list returned to nats-sync, allowing the attacker to rewrite the NATS authorization file and control which VMs are permitted to communicate over NATS.
  • Compromises downstream systems connected through NATS by injecting unauthorized VM entries into the authorization file.
  • Causes persistent impact on systems dependent on BOSH director control (SC:H, SI:H, SA:H) by leveraging stolen credentials for ongoing unauthorized director operations.

How HarborGuard Handles This

Available on HarborGuard: any image containing a BOSH release earlier than 282.1.9 is flagged automatically within minutes of CVE publication. For customers who opt into auto-remediation, HarborGuard rebuilds the image at version 282.1.9, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated remediation, the finding is routed to the designated team inbox for manual review. As a compensating control before patching, consider applying network policy to isolate the nats-sync process so that only the legitimate BOSH director IP can be reached on the relevant port, reducing the opportunity for a man-in-the-middle position.

See how HarborGuard automates this

Fix available

282.1.9
Affected packages
  • Cloud Foundry Foundation / BOSH
    < 282.1.9 (from 0)
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:H/SA:H
References