CVE-2026-41009
Analyzed Analyzed - Analysis Complete
Path Traversal in BOSH Director

Publication date: 2026-05-27

Last updated on: 2026-06-08

Assigner: VMware

Description
When the director sends a long-running request (e.g. compile_package), the agent's reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response['value']['result']['compile_log_id'] and format_exception (line 318-325) reads exception['blobstore_id']; both pass the agent-supplied string unmodified to download_and_delete_blob(blob_id) (line 344-349), which calls @resource_manager.get_resource(blob_id) and, in an ensure block, @resource_manager.delete_resource(blob_id). Api::ResourceManager forwards the id straight to blobstore.get(id) / blobstore.delete(id). When the director is configured with the local blobstore provider, Blobstore::LocalClient#object_file_path(oid) is File.join(@blobstore_path, oid) (local_client.rb:54-56) with no normalisation, so oid = "../../jobs/director/config/director.yml" resolves outside the blobstore root. Affected versions: BOSH Director: All versions prior to v282.1.12
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-08
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41009
EUVD
EUVD-2026-32098
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cloud_foundry bosh to 282.1.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41009 is a medium-severity vulnerability in the Cloud Foundry BOSH Director when it is configured with a local blobstore. The issue occurs because the director processes long-running requests, such as compile_package tasks, where the agent's reply JSON contains fields like compile_log_id and blobstore_id that are passed directly to blobstore operations without any sanitization or normalization.

This lack of validation allows directory traversal attacks, where an attacker can use sequences like "../../" to access files outside the intended blobstore directory. Essentially, an attacker who can control the agent's response (for example, by having root access on a managed VM or publishing to the agent's NATS reply subject) can cause the director to read or delete arbitrary files on the system.

Impact Analysis

This vulnerability can have serious impacts including unauthorized reading and deletion of arbitrary files on the system where the BOSH Director is running. An attacker could exfiltrate sensitive files such as configuration files (e.g., director.yml) or delete critical files, which could potentially brick the director and disrupt operations.

The attacker needs to have control over the agent's response, which typically requires root access on a managed VM or the ability to publish to the agent's NATS reply subject.

Detection Guidance

This vulnerability can be detected by monitoring task logs for unusual file access patterns, especially those involving unexpected file paths or directory traversal sequences like "../../".

Since the vulnerability involves the director processing agent reply JSON containing unvalidated paths, reviewing logs related to compile_package tasks or other long-running requests may reveal suspicious activity.

Network detection could involve monitoring NATS messaging topics for unauthorized publishing to the agent's reply subjects.

  • Check BOSH Director task logs for entries referencing file paths outside the blobstore directory, e.g., using grep:
  • grep -r '\.\./' /var/vcap/store/jobs/director/logs/
  • Monitor NATS topics for unusual publishing activity to agent reply subjects.
Mitigation Strategies

The primary mitigation is to upgrade the BOSH Director to version v282.1.12 or later, where this vulnerability is fixed.

Additional immediate steps include implementing network segmentation to limit access to the director and restricting permissions on NATS topics to prevent unauthorized publishing to agent reply subjects.

Monitoring task logs for unusual file access patterns can help detect exploitation attempts and should be part of ongoing mitigation.

Compliance Impact

CVE-2026-41009 allows an attacker with control over a managed VM's agent responses to read or delete arbitrary files on the system by exploiting directory traversal in the local blobstore. This can lead to unauthorized access to sensitive files, such as configuration files, which may contain personal or confidential information.

Such unauthorized access and potential data manipulation can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and mandate the protection of personal and health information.

Therefore, if exploited, this vulnerability could compromise compliance by exposing or destroying regulated data, undermining confidentiality, integrity, and availability requirements stipulated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41009. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart