Description
Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC (Elliptic Curve) private keys are inadvertently exposed through the public /token_keys endpoint. This endpoint is designed to provide public key material for JWT token verification but incorrectly exposes private key components for EC keys. The vulnerability affects deployments using EC keys for JWT token signing. The vulnerability does not affect RSA key configurations, only deployments using EC keys for JWT signing.

Affected versions:
- uaa_release: v76.12.0 through v78.12.0 (inclusive); fixed in v78.13.0 or later
- CF Deployment: v30.0.0 through v56.0.0 (inclusive); fixed in v56.1.0 or later (bundles uaa_release v78.13.0)
Published: 2026-06-01
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to retrieve EC private key components via the /token_keys endpoint, which is intended to expose only public keys for JWT verification. As a result, an attacker could forge JWT tokens and impersonate legitimate services, compromising integrity and confidentiality.

Affected Systems

Deployments using Cloud Foundry Foundation’s CF Deployment and the uaa_release component are affected. uaa_release versions v76.12.0 through v78.12.0 expose private keys, and CF Deployment bundles these affected uaa_release versions between v30.0.0 and v56.0.0. The issue does not affect RSA configurations and is limited to EC signing keys.

Risk and Exploitability

The vulnerability is rated CVSS 10, indicating critical severity. No EPSS score is reported, but the private key is exposed over a network endpoint that is publicly reachable by any consumer of the UAA service, so a remote attacker could simply query /token_keys to obtain the key. It is not listed in CISA KEV, yet the potential for token forgery warrants immediate remediation.

Generated by OpenCVE AI on June 1, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the fixed uaa_release version v78.13.0 or later, and upgrade CF Deployment to v56.1.0 or later, which includes the patched uaa_release.
  • If an upgrade is not immediately feasible, restrict network access to the /token_keys endpoint so that only trusted internal services can query it, preventing external exposure of the key material.
  • Disable EC key usage for JWT signing by configuring the UAA to use RSA keys or by removing EC signing keys from the deployment, thereby preventing the private key from being exposed via the endpoint.
  • Monitor UAA logs for any unauthorized token requests or unusual verification usage patterns, and revoke any compromised keys if an exposure is suspected.

Generated by OpenCVE AI on June 1, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Cloudfoundry
Cloudfoundry cf-deployment
Cloudfoundry uaa-release
Vendors & Products Cloudfoundry
Cloudfoundry cf-deployment
Cloudfoundry uaa-release

Mon, 01 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Cloud Foundry UAA Private Key Disclosure via /token_keys Endpoint

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC (Elliptic Curve) private keys are inadvertently exposed through the public /token_keys endpoint. This endpoint is designed to provide public key material for JWT token verification but incorrectly exposes private key components for EC keys. The vulnerability affects deployments using EC keys for JWT token signing. The vulnerability does not affect RSA key configurations, only deployments using EC keys for JWT signing. Affected versions: - uaa_release: v76.12.0 through v78.12.0 (inclusive); fixed in v78.13.0 or later - CF Deployment: v30.0.0 through v56.0.0 (inclusive); fixed in v56.1.0 or later (bundles uaa_release v78.13.0)
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L'}

cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L'}

Subscriptions

Cloudfoundry Cf-deployment Uaa-release
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-03T03:56:02.003Z

Reserved: 2026-04-16T02:18:56.133Z

Link: CVE-2026-40965

cve-icon Vulnrichment

Updated: 2026-06-02T13:09:19.935Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T22:16:25.600

Modified: 2026-06-02T14:01:54.893

Link: CVE-2026-40965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T00:00:13Z

Weaknesses