HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41860Published Modified CNA vmware

CVE-2026-41860: CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM

CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA and steal credentials. Affected versions: - BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later

Metrics

CVSS v4.0
7.1
Severity
HIGH
Fixed in
282.1.9
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An inadequate cryptographic strength vulnerability (CWE-326) in BOSH, the Cloud Foundry infrastructure orchestrator, allows a local attacker to intercept TLS-protected traffic between bosh-monitor and the BOSH director or UAA. The affected code in HttpRequestHelper hard-codes OpenSSL::SSL::VERIFY_NONE, meaning TLS certificates are never verified and any process or user on the same host can perform a man-in-the-middle attack to steal Basic-auth credentials or hijack UAA token requests. Successful exploitation gives the attacker long-lived credentials and the ability to impersonate both the monitor and the target services. A patched-image rebuild at v282.1.9 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-41860 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built BOSH images, in connected registries and CI/CD pipelines.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.1 (HIGH) and weighting that score against each customer environment's compliance policy to determine priority. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at BOSH v282.1.9 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard can execute a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no over-the-network access to the service is required.

  • AuthenticationRequired

    A low-privilege local account is sufficient; no administrative access is needed to position a man-in-the-middle process on the host.

  • Victim interactionNot required

    No victim action is required; the attacker passively intercepts traffic initiated by bosh-monitor.

  • Attack complexityDetail

    Attack timing is constrained by an attack requirement (AT:P), meaning specific conditions such as a race or environmental prerequisite must align, though no exploit complexity beyond positioning is needed once they do.

Blast Radius

  • Attacker reads plaintext Basic-auth credentials transmitted between bosh-monitor and the BOSH director, enabling direct reuse of those credentials against the director API.
  • Attacker intercepts and redirects UAA token requests, allowing impersonation of bosh-monitor and acquisition of OAuth tokens scoped to infrastructure management.
  • With stolen credentials or tokens, the attacker gains high-integrity write access to the BOSH director and any systems it manages (SI:H), permitting deployment manipulation or service reconfiguration.
  • Downstream systems that depend on UAA-issued tokens or BOSH director API access inherit the same exposure, extending the blast radius to the broader Cloud Foundry control plane (SC:H, SA:H).

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE fires within minutes of publication against all images in connected registries and pipelines, including custom BOSH images. A patched-image rebuild at v282.1.9 is available for any environment where an affected version is identified. For customers who opt into auto-remediation, HarborGuard initiates a rebuild, executes a regression run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy restricts auto-remediation, HarborGuard surfaces the finding with full CVSS detail and remediation guidance so operators can act manually. Until patching is complete, customers should consider applying network policy controls to restrict local inter-process communication on BOSH hosts, limiting the pool of principals able to reach the bosh-monitor socket.

See how HarborGuard automates this

Fix available

282.1.9
Affected packages
  • Cloud Foundry Foundation / BOSH
    < 282.1.9 (from 0)
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:H/SA:H
References