CVE-2026-41010
Received Received - Intake
Path Traversal in BOSH Director

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: VMware

Description
ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', name) and job_tgz = File.join(@release_dir, 'jobs', "#{name}.tgz") where name returns @job_meta['name'], a value taken verbatim from the jobs: array of the attacker-supplied release.MF inside the uploaded tarball. These paths are then interpolated into a shell string: Bosh::Common::Exec.sh("tar -C #{job_dir} -xf #{job_tgz} 2>&1", :on_error => :return). Bosh::Common::Exec.sh executes via %x{#{command}} (bosh-common/lib/bosh/common/exec.rb:53), i.e. /bin/sh -c, so any shell metacharacters in name are interpreted. FileUtils.mkdir_p(job_dir) on line 49 creates the literal directory (no shell) and succeeds even when the name contains $()/;, so execution reaches the sh call. Affected versions: - BOSH Director: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-04
AI Q&A
2026-06-04
EPSS Evaluated
N/A
NVD
CVE-2026-41010
EUVD
EUVD-2026-34198
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vmware bosh_director to 282.1.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability allows an authenticated user with the bosh.releases.upload privilege to execute arbitrary shell commands on the BOSH Director VM. Successful exploitation could lead to full control over the BOSH Director, potentially allowing attackers to compromise the system, manipulate deployments, access sensitive data, or disrupt services.


Can you explain this vulnerability to me?

CVE-2026-41010 is a high-severity command injection vulnerability in the BOSH Director component of Cloud Foundry. It occurs when an attacker uploads a malicious release tarball containing a job name with shell metacharacters in the release.MF file. The BOSH Director's ReleaseJob#unpack method uses this job name to build a shell command for extracting the tarball. Because the job name is interpolated directly into a shell command, any shell metacharacters are interpreted, allowing command injection.

Specifically, the vulnerability arises because the job name is used verbatim in a shell command executed via /bin/sh -c, enabling an attacker to execute arbitrary shell commands on the BOSH Director VM.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for suspicious release upload activities, especially uploads containing release tarballs with job names that include shell metacharacters such as $(command).

Since exploitation requires an authenticated user with the bosh.releases.upload privilege, auditing logs for release uploads and examining the contents of release.MF files for unusual job names can help detect attempts to exploit this vulnerability.

Specific commands to detect this might include searching for suspicious patterns in release.MF files or logs. For example, you could use grep to find suspicious job names in uploaded release metadata:

  • grep -r '\$\(' /var/vcap/store/bosh/releases/*/release.MF
  • grep -r '[;$]' /var/vcap/store/bosh/releases/*/release.MF

Additionally, monitoring shell command execution logs or audit logs on the BOSH Director VM for unexpected tar command executions with unusual parameters may help detect exploitation attempts.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading the BOSH Director to version v282.1.12 or later, where this vulnerability is fixed.

Restrict the bosh.releases.upload privilege to only trusted and necessary users to reduce the risk of exploitation.

Monitor release upload activities closely to detect any suspicious or unauthorized uploads.

Isolate the BOSH Director from less trusted networks to limit exposure and reduce the attack surface.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

CVE-2026-41010 allows authenticated users with upload privileges to execute arbitrary shell commands on the BOSH Director VM, potentially leading to unauthorized control over the system.

Such unauthorized access and control could result in data breaches or unauthorized data manipulation, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strict controls over data confidentiality, integrity, and system access.

Therefore, if exploited, this vulnerability could negatively impact an organization's ability to comply with these regulations by exposing sensitive data or compromising system integrity.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart