HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9863Published Modified CNA Fortra

CVE-2026-9863: Core Privileged Access Manager (BoKS) upgrade tooling command injection vulnerability

Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability affects Fortra Core Privileged Access Manager (BoKS) in the client upgrade and patch tooling for legacy tar-based client installations. The flaw is reachable over the network but requires an attacker to control or compromise a legacy tar-installed client that is selected for upgrade or patching, and victim interaction is involved in the upgrade workflow; no authentication against the server is needed from the attacker's perspective. Successful exploitation allows arbitrary OS commands to execute on the BoKS Master, giving an attacker full control over the privileged access management server. HarborGuard is tracking this advisory for patch availability and will surface a patched-image rebuild the moment Fortra publishes a fix version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Fortra and NVD advisory sources, within minutes of publication and matched against customer images, including custom-built images that bundle BoKS server components. Any image containing an affected boks-server version (8.1.0.22 or below on the 8.x line, or 9.0.0.4 or below on the 9.x line) is flagged automatically in both registry scans and pipeline pre-merge checks.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting that score against each customer environment's compliance policy, which may escalate severity for environments where the BoKS Master image is exposed to untrusted networks. Triage findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published by Fortra, a patched-image rebuild is not yet available. HarborGuard re-checks the Fortra advisory each ingest cycle and will make a rebuilt image available automatically the moment an upstream fix is released; for customers with auto-remediation enabled, the rebuild, regression run, and PR-open flow will trigger without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the BoKS Master over the network by controlling or compromising a client host that communicates with it during the upgrade or patching workflow.

  • AuthenticationNot required

    No credentials against the BoKS Master are required; the attack is carried out by a client the server initiates contact with, not by a logged-in user.

  • Victim interactionRequired

    An administrator or automated process must initiate a client upgrade or patch operation targeting the malicious or compromised legacy tar-installed client for the injection to trigger.

  • Attack complexityDetail

    Attack complexity is rated High, meaning the attacker depends on a specific environmental condition: a legacy tar-installed client must be present and selected for upgrade or patching by the BoKS Master operator.

Blast Radius

  • Arbitrary OS commands execute on the BoKS Master, giving the attacker control over the central privileged access management server.
  • All secrets, credentials, and access policies stored or managed by the BoKS Master are readable by the attacker.
  • The attacker can modify access control policies, create or remove privileged accounts, and alter audit records on the BoKS Master.
  • The BoKS Master process and the services it controls can be terminated or disrupted, blocking privileged access management across the environment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9863 is active across all connected registries and build pipelines, flagging any image that bundles a boks-server version at or below 8.1.0.22 (8.x line) or 9.0.0.4 (9.x line). Because Fortra has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard monitors the Fortra advisory on every ingest cycle and will generate a rebuilt image and, for customers with auto-remediation enabled, open a patch PR against affected workloads as soon as a fix version is released. In the interim, compensating controls worth considering include network-policy isolation that restricts which client hosts are permitted to initiate upgrade handshakes with the BoKS Master, egress filtering on the BoKS Master to limit outbound command execution surface, and a manual audit of any legacy tar-installed clients currently enrolled for upgrade or patching. Where compliance policy permits, HarborGuard can surface these compensating-control recommendations as policy annotations on affected image findings.

See how HarborGuard automates this
Affected packages
  • Fortra / Core Privileged Access Manager (BoKS)
    ≤ boks-server 8.1.0.22 · ≤ boks-server 9.0.0.4
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References