Description
CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA and steal credentials.

Affected versions:
- BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later
Published: 2026-06-04
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The affected component is BOSH’s HttpRequestHelper, which hard‑codes the SSL verification mode to VERIFY_NONE. Because of this, a user who has local access to a system running bosh‑monitor can perform a man‑in‑the‑middle between the monitor and the BOSH director or the UAA service, capturing Basic‑Auth credentials or redirecting OAuth token requests. The consequence is the compromise of authentication tokens or credentials used by other services, leading to lateral movement or full system takeover.

Affected Systems

Cloud Foundry Foundation’s BOSH platform is impacted. All releases prior to version 282.1.9, inclusive, contain the hard‑coded verify flag. This includes the bosh‑monitor component that issues HTTP requests to the BOSH director and to the UAA service.

Risk and Exploitability

The CVSS score of 7.1 reflects a moderate‑to‑high severity. The EPSS score is not provided, but the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed public exploitation yet. Nonetheless, a local attacker with access to the bosh‑monitor host can launch the attack by simply accessing the HTTP endpoints without additional network reachability. The exploit path is straightforward: first exploit local access, then intercept the TLS connections, and subsequently capture credentials or reroute OAuth traffic. Prevention requires securing the TLS validation and restricting local access.

Generated by OpenCVE AI on June 4, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BOSH to version 282.1.9 or later, which removes the hard‑coded VERIFY_NONE setting.
  • Verify that the bosh‑monitor to director and UAA communications use TLS with certificate verification enabled; ensure OpenSSL settings enforce VERIFY_PEER.
  • Restrict network access so that only the bosh‑monitor can reach the director and UAA over the expected internal interfaces, blocking unauthorized hosts.
  • Consider disabling or replacing HTTP Basic authentication on the bosh‑monitor with stronger token‑based mechanisms and monitor for anomalous credential usage.

Generated by OpenCVE AI on June 4, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Local BOSH Monitor TLS Verification Bypass Enables MITM Credential Theft
First Time appeared Cloud Foundry
Cloud Foundry bosh
Vendors & Products Cloud Foundry
Cloud Foundry bosh

Thu, 04 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA and steal credentials. Affected versions: - BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later
Weaknesses CWE-326
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Cloud Foundry Bosh
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-04T01:40:23.892Z

Reserved: 2026-04-22T06:22:10.082Z

Link: CVE-2026-41860

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T03:16:20.107

Modified: 2026-06-04T03:16:20.107

Link: CVE-2026-41860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T03:30:04Z

Weaknesses