CVE-2026-47840
Received Received - Intake

Impersonation via Trusted CA Certificates in UAA LDAP Authentication

Vulnerability report for CVE-2026-47840, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VMware

Description

A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user password sent during simple-bind authentication, and return forged group memberships that grant themselves admin scopes. This affects every deployment that authenticates users against LDAP over StartTLS. Affected versions: UAA versions prior to v78.13.0; Cf-deployment versions prior to v56.2.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
cloud_foundry uaa to 78.13.0 (exc)
cloud_foundry cf_deployment to 56.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-47840 is a high-severity vulnerability in Cloud Foundry's User Account and Authentication (UAA) component when using LDAP with StartTLS. The issue occurs because hostname verification is unconditionally disabled during StartTLS connections. This allows a network attacker positioned between UAA and the LDAP directory to impersonate the directory by using any certificate from a trusted Certificate Authority.

By exploiting this, the attacker can harvest the LDAP bind password and every end-user password sent during simple-bind authentication. Additionally, the attacker can forge group memberships to grant themselves administrative scopes.

This vulnerability affects all UAA versions prior to v78.13.0 and cf-deployment versions prior to v56.2.0 where LDAP with StartTLS is configured.

Impact Analysis

If you are using affected versions of UAA or cf-deployment with LDAP over StartTLS, an attacker positioned on the network between your UAA and LDAP directory can impersonate the LDAP directory.

This allows the attacker to steal LDAP bind passwords and all end-user passwords transmitted during simple-bind authentication, compromising user credentials.

Furthermore, the attacker can forge group memberships to grant themselves administrative privileges, potentially leading to unauthorized access and control over your system.

Detection Guidance

This vulnerability affects deployments that authenticate users against LDAP over StartTLS, typically using ldap:// URLs on port 389 with TLS upgrade settings. Detection involves identifying if your UAA or cf-deployment is using LDAP with StartTLS and if the versions are prior to the fixed releases.

You can check your UAA and cf-deployment versions to see if they are vulnerable (UAA versions prior to v78.13.0 and cf-deployment versions prior to v56.2.0).

To detect if LDAP StartTLS is in use, you might inspect configuration files or network traffic for ldap:// connections on port 389 that upgrade to TLS.

For network detection, monitoring LDAP traffic on port 389 and checking for StartTLS usage can help identify exposure.

Specific commands are not provided in the available resources.

Mitigation Strategies

The primary mitigation is to upgrade affected components to fixed versions: upgrade UAA to version 78.13.0 or later, and cf-deployment to version 56.2.0 or later.

Alternatively, avoid using LDAP over StartTLS by switching to LDAPS (ldaps:// on port 636), which is not affected by this vulnerability.

If upgrading immediately is not possible, consider disabling LDAP authentication or restricting network access to LDAP servers to trusted hosts only.

Compliance Impact

This vulnerability allows a network attacker to harvest LDAP bind passwords and end-user passwords, as well as forge group memberships to gain admin privileges. Such unauthorized access and credential compromise can lead to violations of data protection and privacy requirements mandated by standards like GDPR and HIPAA, which require safeguarding user credentials and preventing unauthorized access to sensitive information.

Because the attacker can impersonate the LDAP directory and obtain sensitive authentication data, organizations using affected versions of UAA and cf-deployment with LDAP over StartTLS may fail to meet compliance obligations related to confidentiality, integrity, and access control.

Mitigating this vulnerability by upgrading to fixed versions or using LDAPS is essential to maintain compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47840. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart