CVE-2026-47828
BOSH · bosh-cli
The BOSH CLI fails to verify server certificates when uploading data to the DAV blobstore, enabling potential man-in-the-middle attacks and root code execution.
Executive summary
The BOSH CLI contains a critical certificate validation flaw that allows attackers to conduct man-in-the-middle attacks and gain root-level code execution.
Vulnerability
This is an improper certificate validation vulnerability (CWE-295) occurring during the upload of CPI packages and job templates. The CLI fails to verify the DAV blobstore server certificate, allowing an attacker to intercept communications and inject malicious content.
Business impact
With a CVSS score of 8.9, this vulnerability is highly critical as it permits full compromise of the deployment process. An attacker performing a man-in-the-middle attack can achieve root code execution on new VMs, leading to total environment compromise, credential theft, and unauthorized persistence.
Remediation
Immediate Action: Upgrade the BOSH CLI to version 7.10.4 or later to ensure proper TLS certificate verification is enforced.
Proactive Monitoring: Monitor network traffic for suspicious TLS certificate discrepancies or unexpected connections directed toward the DAV blobstore.
Compensating Controls: Ensure that the BOSH environment is restricted to trusted internal networks and that all communication channels are strictly governed by secure, verified connections where possible.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability presents a severe risk to the entire BOSH deployment pipeline. It is imperative that all instances of the BOSH CLI are updated immediately to version 7.10.4 to remediate this critical security gap.