CVE-2026-41860

HIGH 8.8

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA and steal credentials. Affected versions: - BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later

CWE	CWE-326
Vendor	cloud foundry foundation
Product	bosh
Published	Jun 4, 2026
Last Updated	Jun 4, 2026

Stay Ahead of the Next One

Get instant alerts for cloud foundry foundation bosh

Be the first to know when new high vulnerabilities affecting cloud foundry foundation bosh are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Cloud Foundry Foundation / BOSH

0 < 282.1.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cloudfoundry.org: https://www.cloudfoundry.org/blog/cve-2026-41860-missing-tls-verify-on-bosh-monitor/