CVE-2026-41704
Path Traversal in BOSH Director
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | bosh_director | to 282.1.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41704 is a medium-severity vulnerability in Cloud Foundry's BOSH Director versions prior to 282.1.12. It occurs because the Director's agent client processes NATS replies and calls a function to delete blobs from a shared blobstore without proper validation. Specifically, it deletes blobs based on IDs extracted from responses without checking ownership, UUID format, or namespace prefixes.
An attacker with root access to any VM in the deployment can exploit this by crafting malicious responses containing valid blob IDs, causing arbitrary deletions in the blobstore. If the blobstore is local, this can also lead to arbitrary file reads via path traversal.
How can this vulnerability impact me? :
This vulnerability allows an attacker with root access on any VM in the deployment to delete arbitrary blobs from the shared blobstore. This can result in loss of important data stored in the blobstore.
If the blobstore is local, the attacker may also read arbitrary files by exploiting path traversal vulnerabilities, potentially exposing sensitive information.
While non-local blobstores do not risk the integrity of the Director itself, attackers can still delete data if they know the blob IDs, leading to data availability issues.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring blobstore operations for unusual or unauthorized deletions, especially those triggered by responses containing blob IDs such as compile_log_id or exception blobstore_id fields.
Since the vulnerability involves arbitrary deletions triggered by crafted NATS replies, network monitoring for suspicious NATS traffic or unexpected blobstore delete operations can help detect exploitation attempts.
Specific commands are not provided in the available resources, but general approaches include:
- Monitoring blobstore logs for delete operations and correlating them with NATS message logs.
- Using system audit tools (e.g., auditd on Linux) to track file deletions in the blobstore directory.
- Inspecting NATS message traffic for suspicious payloads containing blob IDs.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading BOSH Director to version 282.1.12 or later, which contains the fix for this vulnerability.
Additional recommended actions are:
- Implement network segmentation to limit access between VMs and the Director.
- Monitor blobstore operations closely to detect unauthorized deletions.
- Isolate critical deployments to reduce the risk of compromise.
- Add access controls to restrict who can perform blobstore deletions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-41704 allows a compromised VM to perform arbitrary deletions in the blobstore without proper validation or access controls. This can lead to unauthorized deletion of data, which may impact data integrity and availability.
Such unauthorized deletions could potentially violate compliance requirements under standards like GDPR and HIPAA, which mandate protection of data integrity, availability, and proper access controls to sensitive information.
Mitigations such as upgrading to a fixed version, implementing network segmentation, monitoring blobstore operations, isolating critical deployments, and adding access controls are recommended to reduce the risk and help maintain compliance.