CVE-2026-41860
Weak Encryption in BOSH Allows Credential Theft via MITM
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | bosh | to 282.1.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-326 | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41860 is a high-severity vulnerability in BOSH, a tool used with Cloud Foundry. The issue arises because certain functions in the bosh-monitor component, specifically HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous, disable TLS certificate validation by hard-coding OpenSSL::SSL::VERIFY_NONE.
This lack of certificate verification allows a local attacker to perform man-in-the-middle (MITM) attacks. Through these attacks, the attacker can intercept traffic between bosh-monitor and the BOSH director or UAA, enabling them to steal Basic-auth credentials or redirect UAA token requests.
How can this vulnerability impact me? :
This vulnerability can have serious impacts by allowing a local attacker to intercept sensitive authentication information. Specifically, an attacker can steal Basic-auth credentials or redirect UAA token requests, potentially gaining unauthorized access to systems managed by BOSH.
Such unauthorized access could lead to further compromise of the infrastructure, data breaches, or manipulation of system components, posing significant security risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the hard-coding of OpenSSL::SSL::VERIFY_NONE in the bosh-monitor component, which disables TLS certificate verification. Detection would involve inspecting the BOSH bosh-monitor source code or runtime behavior to identify if these insecure SSL verification settings are present.
Specifically, you can check the version of BOSH installed to see if it is prior to v282.1.9, as all versions before this are vulnerable.
There are no specific commands provided in the available resources to detect this vulnerability directly on the network or system.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade BOSH to version v282.1.9 or later, where this vulnerability has been fixed.
Upgrading ensures that the hard-coded disabling of TLS verification is removed, preventing man-in-the-middle attacks that could steal credentials or redirect token requests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-41860 affects compliance with common standards and regulations such as GDPR or HIPAA.