Description
AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338) and passes it to download_and_delete_blob. Separately, any response containing 'exception' goes through format_exception (lines 308-325), which reads exception['blobstore_id'] and also calls download_and_delete_blob. That helper (lines 344-349) calls ResourceManager#get_resource(blob_id) and, in an ensure block, ResourceManager#delete_resource(blob_id). ResourceManager (resource_manager.rb:62-70) calls blobstore.delete(id) on the single shared Director blobstore with no UUID-format check, no ownership check, and no namespace prefix.

Affected versions:
BOSH Director: All versions prior to v282.1.12
Published: 2026-05-27
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CVE-2026-41704 allows an attacker who has compromised a VM in a Cloud Foundry environment to trigger arbitrary deletions of blobstore objects within the BOSH Director's shared blobstore. The vulnerability arises from the AgentClient's handling of every NATS reply; it invokes a helper that unconditionally calls delete_resource on the blobstore without performing any ownership or format validation. As a result, any attacker capable of generating a crafted NATS message can cause the Director to delete any blob, leading to data loss and service disruption. The flaw is an instance of improper access control (CWE‑284).

Affected Systems

Cloud Foundry Foundation BOSH Director installations with versions earlier than 282.1.12 are affected. The vulnerability is present in all prior releases of the Director produced by the Cloud Foundry Foundation. No other vendors or products are mentioned.

Risk and Exploitability

The CVSS score of 6.8 indicates medium severity. EPSS is not available, so the likelihood estimate is unknown from the data. KEV does not list this vulnerability, so it is not confirmed as currently exploited in the wild. The attack requires that an actor has control over a VM that can send NATS replies; thus the vector is likely internal network compromise. If an attacker can reach the BOSH Director, they can trigger the deletion path and remove arbitrary resources. Given the lack of access control checks, the exploitability is high once the victim VM is compromised, but does not allow remote code execution or privilege escalation outside of blob deletion.

Generated by OpenCVE AI on May 27, 2026 at 09:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest BOSH Director patch (v282.1.12 or later) to remove the unchecked delete logic.
  • Network‑segment or firewall the compromised VM so it cannot send unsolicited NATS replies to the Director.
  • Enable strict NATS authentication and authorization to ensure only authorized nodes can message the Director, preventing malicious NATS replies.

Generated by OpenCVE AI on May 27, 2026 at 09:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338) and passes it to download_and_delete_blob. Separately, any response containing 'exception' goes through format_exception (lines 308-325), which reads exception['blobstore_id'] and also calls download_and_delete_blob. That helper (lines 344-349) calls ResourceManager#get_resource(blob_id) and, in an ensure block, ResourceManager#delete_resource(blob_id). ResourceManager (resource_manager.rb:62-70) calls blobstore.delete(id) on the single shared Director blobstore with no UUID-format check, no ownership check, and no namespace prefix. Affected versions: BOSH Director: All versions prior to v282.1.12
Title Compromised VM can make arbitrary blobstore deletes
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-05-27T13:39:01.678Z

Reserved: 2026-04-22T06:21:34.489Z

Link: CVE-2026-41704

cve-icon Vulnrichment

Updated: 2026-05-27T13:38:55.847Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T08:16:43.843

Modified: 2026-05-27T14:54:20.160

Link: CVE-2026-41704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T09:45:30Z

Weaknesses