CVE-2026-41704
Analyzed Analyzed - Analysis Complete
Path Traversal in BOSH Director

Publication date: 2026-05-27

Last updated on: 2026-06-08

Assigner: VMware

Description
AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338) and passes it to download_and_delete_blob. Separately, any response containing 'exception' goes through format_exception (lines 308-325), which reads exception['blobstore_id'] and also calls download_and_delete_blob. That helper (lines 344-349) calls ResourceManager#get_resource(blob_id) and, in an ensure block, ResourceManager#delete_resource(blob_id). ResourceManager (resource_manager.rb:62-70) calls blobstore.delete(id) on the single shared Director blobstore with no UUID-format check, no ownership check, and no namespace prefix. Affected versions: BOSH Director: All versions prior to v282.1.12
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-08
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41704
EUVD
EUVD-2026-32108
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cloud_foundry bosh to 282.1.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-41704 allows a compromised VM to perform arbitrary deletions in the blobstore without proper validation or access controls. This can lead to unauthorized deletion of data, which may impact data integrity and availability.

Such unauthorized deletions could potentially violate compliance requirements under standards like GDPR and HIPAA, which mandate protection of data integrity, availability, and proper access controls to sensitive information.

Mitigations such as upgrading to a fixed version, implementing network segmentation, monitoring blobstore operations, isolating critical deployments, and adding access controls are recommended to reduce the risk and help maintain compliance.

Executive Summary

CVE-2026-41704 is a medium-severity vulnerability in Cloud Foundry's BOSH Director versions prior to 282.1.12. It occurs because the Director's agent client processes NATS replies and calls a function to delete blobs from a shared blobstore without proper validation. Specifically, it deletes blobs based on IDs extracted from responses without checking ownership, UUID format, or namespace prefixes.

An attacker with root access to any VM in the deployment can exploit this by crafting malicious responses containing valid blob IDs, causing arbitrary deletions in the blobstore. If the blobstore is local, this can also lead to arbitrary file reads via path traversal.

Impact Analysis

This vulnerability allows an attacker with root access on any VM in the deployment to delete arbitrary blobs from the shared blobstore. This can result in loss of important data stored in the blobstore.

If the blobstore is local, the attacker may also read arbitrary files by exploiting path traversal vulnerabilities, potentially exposing sensitive information.

While non-local blobstores do not risk the integrity of the Director itself, attackers can still delete data if they know the blob IDs, leading to data availability issues.

Detection Guidance

This vulnerability can be detected by monitoring blobstore operations for unusual or unauthorized deletions, especially those triggered by responses containing blob IDs such as compile_log_id or exception blobstore_id fields.

Since the vulnerability involves arbitrary deletions triggered by crafted NATS replies, network monitoring for suspicious NATS traffic or unexpected blobstore delete operations can help detect exploitation attempts.

Specific commands are not provided in the available resources, but general approaches include:

  • Monitoring blobstore logs for delete operations and correlating them with NATS message logs.
  • Using system audit tools (e.g., auditd on Linux) to track file deletions in the blobstore directory.
  • Inspecting NATS message traffic for suspicious payloads containing blob IDs.
Mitigation Strategies

Immediate mitigation steps include upgrading BOSH Director to version 282.1.12 or later, which contains the fix for this vulnerability.

Additional recommended actions are:

  • Implement network segmentation to limit access between VMs and the Director.
  • Monitor blobstore operations closely to detect unauthorized deletions.
  • Isolate critical deployments to reduce the risk of compromise.
  • Add access controls to restrict who can perform blobstore deletions.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41704. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart