CVE-2026-41859
MitM Credential Theft in BOSH Director via nats-sync
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | bosh | to 282.1.9 (inc) |
| vmware | nats_sync | to 282.1.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41859 is a high-severity vulnerability in Cloud Foundry's BOSH and NATS sync components caused by missing TLS encryption in communications between nats-sync and the BOSH director.
This flaw allows a network man-in-the-middle attacker to intercept sensitive director credentials such as Basic authentication headers or UAA client secrets.
The vulnerability exists because the UsersSync#bosh_api_response_body function uses an insecure Net::HTTP client with SSL verification disabled (verify_mode = OpenSSL::SSL::VERIFY_NONE) for all director API calls.
Attackers can also tamper with the VM list written into the NATS authorization file, potentially controlling which subjects are permitted.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows attackers to steal director credentials, granting them administrative access to the BOSH director.
With administrative access, attackers can manipulate the VM list in the NATS authorization file, potentially disrupting operations or gaining further unauthorized access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves insecure communication between nats-sync and the BOSH director due to disabled SSL verification (verify_mode = OpenSSL::SSL::VERIFY_NONE). Detection can focus on identifying network traffic between these components that is not encrypted with TLS.
You can monitor network traffic for unencrypted HTTP calls to the BOSH director API endpoints such as /info, /deployments, or /deployments/<name>/vms.
Suggested commands include using packet capture tools like tcpdump or Wireshark to inspect traffic on the relevant ports for plaintext HTTP traffic instead of HTTPS/TLS.
- tcpdump -i <interface> port <director_api_port> -w capture.pcap
- tshark -r capture.pcap -Y 'http' -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri
Additionally, reviewing the BOSH and nats-sync configuration or logs for usage of insecure HTTP clients or disabled SSL verification settings can help detect vulnerable setups.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade BOSH to version v282.1.9 or later, where this vulnerability has been fixed.
This update ensures that the Net::HTTP client used by UsersSync#bosh_api_response_body enforces SSL verification, preventing man-in-the-middle attacks.
Until the upgrade can be applied, consider restricting network access between nats-sync and the BOSH director to trusted networks only, to reduce the risk of interception.
Review and harden any configurations related to TLS usage and authentication credentials to ensure they are not transmitted in plaintext.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a network man-in-the-middle attacker to steal administrative credentials and tamper with authorization data, which can lead to unauthorized access and control over sensitive systems.
Such unauthorized access and potential data manipulation could result in violations of common security and privacy standards like GDPR and HIPAA, which require protection of sensitive data and strict access controls.
Failure to secure communications and protect credentials as described in this vulnerability could lead to non-compliance with these regulations, potentially resulting in data breaches and regulatory penalties.