CVE-2026-47828

BOSH · bosh-cli

The BOSH CLI fails to verify server certificates when uploading data to the DAV blobstore, enabling potential man-in-the-middle attacks and root code execution.

Executive summary

The BOSH CLI contains a critical certificate validation flaw that allows attackers to conduct man-in-the-middle attacks and gain root-level code execution.

Vulnerability

This is an improper certificate validation vulnerability (CWE-295) occurring during the upload of CPI packages and job templates. The CLI fails to verify the DAV blobstore server certificate, allowing an attacker to intercept communications and inject malicious content.

Business impact

With a CVSS score of 8.9, this vulnerability is highly critical as it permits full compromise of the deployment process. An attacker performing a man-in-the-middle attack can achieve root code execution on new VMs, leading to total environment compromise, credential theft, and unauthorized persistence.

Remediation

Immediate Action: Upgrade the BOSH CLI to version 7.10.4 or later to ensure proper TLS certificate verification is enforced.

Proactive Monitoring: Monitor network traffic for suspicious TLS certificate discrepancies or unexpected connections directed toward the DAV blobstore.

Compensating Controls: Ensure that the BOSH environment is restricted to trusted internal networks and that all communication channels are strictly governed by secure, verified connections where possible.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability presents a severe risk to the entire BOSH deployment pipeline. It is imperative that all instances of the BOSH CLI are updated immediately to version 7.10.4 to remediate this critical security gap.