CVE-2026-41860

Published: Giu 04, 2026 Last Modified: Giu 04, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,1

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

HIGH 8,8

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: changed

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA and steal credentials.

Affected versions:
- BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later

326

Inadequate Encryption Strength

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Confidentiality

Potential Impacts:

Bypass Protection Mechanism Read Application Data

Applicable Platforms

All platforms may be affected

View CWE Details

https://www.cloudfoundry.org/blog/cve-2026-41860-missing-tl…

https://www.cloudfoundry.org/blog/cve-2026-41860-missing-tls-verify-on-bosh-mon…

CVE-2026-41860

Description

Inadequate Encryption Strength

Common Consequences

Applicable Platforms

Iscriviti alla newsletter