CVE-2026-41860
Awaiting Analysis Awaiting Analysis - Queue
Weak Encryption in BOSH Allows Credential Theft via MITM

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: VMware

Description
CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA and steal credentials. Affected versions: - BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-41860
EUVD
EUVD-2026-34192
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vmware bosh to 282.1.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41860 is a high-severity vulnerability in BOSH, a tool used with Cloud Foundry. The issue arises because certain functions in the bosh-monitor component, specifically HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous, disable TLS certificate validation by hard-coding OpenSSL::SSL::VERIFY_NONE.

This lack of certificate verification allows a local attacker to perform man-in-the-middle (MITM) attacks. Through these attacks, the attacker can intercept traffic between bosh-monitor and the BOSH director or UAA, enabling them to steal Basic-auth credentials or redirect UAA token requests.

Impact Analysis

This vulnerability can have serious impacts by allowing a local attacker to intercept sensitive authentication information. Specifically, an attacker can steal Basic-auth credentials or redirect UAA token requests, potentially gaining unauthorized access to systems managed by BOSH.

Such unauthorized access could lead to further compromise of the infrastructure, data breaches, or manipulation of system components, posing significant security risks.

Detection Guidance

This vulnerability involves the hard-coding of OpenSSL::SSL::VERIFY_NONE in the bosh-monitor component, which disables TLS certificate verification. Detection would involve inspecting the BOSH bosh-monitor source code or runtime behavior to identify if these insecure SSL verification settings are present.

Specifically, you can check the version of BOSH installed to see if it is prior to v282.1.9, as all versions before this are vulnerable.

There are no specific commands provided in the available resources to detect this vulnerability directly on the network or system.

Mitigation Strategies

The primary mitigation step is to upgrade BOSH to version v282.1.9 or later, where this vulnerability has been fixed.

Upgrading ensures that the hard-coded disabling of TLS verification is removed, preventing man-in-the-middle attacks that could steal credentials or redirect token requests.

Compliance Impact

The provided information does not specify how CVE-2026-41860 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart