Description
Argument Injection in bosh-cli allows a compromised BOSH Director to inject arbitrary OpenSSH options into the locally-spawned ssh process when an operator runs bosh ssh -c, bosh logs -f, or other non-interactive SSH paths, leading to local command execution on the operator's workstation.
Affected versions: bosh-cli versions prior to v7.10.4.
Published: 2026-07-09
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from argument injection in the BOSH CLI, allowing an attacker who compromises the BOSH Director to inject arbitrary OpenSSH options into a locally spawned ssh process. When an operator runs non‑interactive SSH commands such as bosh ssh -c or bosh logs -f, these unintended options are applied, causing the operator’s machine to execute arbitrary local commands. This represents an Argument Injection flaw that can lead to remote code execution on the workstation even though the attacker does not directly control the operator’s terminal.

Affected Systems

CloudFoundry Foundation’s BOSH CLI is affected, specifically all releases earlier than version 7.10.4. Operators using these older versions should be aware that the CLI’s handling of SSH options is insecure until they upgrade.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, implying no active, publicly known exploitation attempts. The likely attack vector requires the attacker to compromise the BOSH Director and then trick an operator into using the vulnerable cmd line paths, which requires privileged access to the Director’s configuration or ssh keys. Even with limited exploitation probability, the impact of local command execution on an operator workstation is significant, potentially enabling data exfiltration, credential theft, or further lateral movement.

Generated by OpenCVE AI on July 9, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to BOSH CLI version 7.10.4 or later, which removes the vulnerable handling of SSH options.
  • If an upgrade cannot be performed immediately, disable or restrict the use of non‑interactive SSH commands (such as bosh ssh -c and bosh logs -f) that allow arbitrary SSH options in your environment.
  • Implement network segmentation or firewall rules to isolate operator workstations from the BOSH Director so that a compromised Director cannot influence SSH sessions on operator machines.

Generated by OpenCVE AI on July 9, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-78

Thu, 09 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 07:00:00 +0000

Type Values Removed Values Added
Description Argument Injection in bosh-cli allows a compromised BOSH Director to inject arbitrary OpenSSH options into the locally-spawned ssh process when an operator runs bosh ssh -c, bosh logs -f, or other non-interactive SSH paths, leading to local command execution on the operator's workstation. Affected versions: bosh-cli versions prior to v7.10.4.
Title Argument Injection in BOSH CLI Allows Local Command Execution on Operator Workstations via Compromised Director
References
Metrics cvssV3_0

{'score': 8.3, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-07-09T13:12:14.523Z

Reserved: 2026-05-20T10:00:48.931Z

Link: CVE-2026-47829

cve-icon Vulnrichment

Updated: 2026-07-09T13:12:08.135Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T23:15:07Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')