CVE-2026-41010
Description
BOSH Director command injection vulnerability allows authenticated users to execute arbitrary commands via crafted release tarballs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BOSH Director command injection vulnerability allows authenticated users to execute arbitrary commands via crafted release tarballs.
Vulnerability
A command injection vulnerability exists in BOSH Director's ReleaseJob#unpack method. The name parameter, derived directly from an attacker-supplied release.MF file within an uploaded tarball, is used to construct shell commands. Specifically, the Bosh::Common::Exec.sh function interpolates the name into a tar command. This allows shell metacharacters within the name to be interpreted, leading to command execution. This affects all versions of BOSH Director prior to v282.1.12 [1].
Exploitation
An attacker with bosh.releases.upload privileges can craft a release tarball. This tarball's release.MF file would contain a job name with shell metacharacters, such as x$(bash -c 'id>/tmp/pwn'). The tarball must also include a corresponding jobs/x$(bash -c 'id>/tmp/pwn').tgz entry. When this release is uploaded via a POST to /releases, the BOSH Director processes the release, and the shell evaluates the $(...) substitution before executing the tar command, thereby running the attacker's arbitrary command on the BOSH Director VM [1].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the BOSH Director VM with the privileges of the BOSH Director process. This can lead to a full compromise of the BOSH Director, including potential disclosure of sensitive information, modification of system files, and disruption of services managed by BOSH [1].
Mitigation
Users of affected products are strongly encouraged to upgrade BOSH Director to version v282.1.12 or later. This fix was released on or after June 4, 2026. No workarounds are specified in the available references [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <282.1.12
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The release job name is directly interpolated into a shell command without sanitization, allowing shell metacharacters to be executed."
Attack vector
An attacker with `bosh.releases.upload` scope can craft a release tarball. This tarball's `release.MF` file would contain a job name with shell metacharacters, such as `x$(bash -c 'id>/tmp/pwn')`. A matching tar entry for the job archive is also required. When this release is uploaded, the BOSH Director processes the `release.MF` file and executes the crafted job name within a shell command, leading to arbitrary command execution on the Director VM [ref_id=1].
Affected code
The vulnerability exists in the `ReleaseJob#unpack` method, which constructs file paths using the job name taken from `release.MF`. These paths are then used in a shell command executed via `Bosh::Common::Exec.sh` [ref_id=1]. The relevant code snippet is `Bosh::Common::Exec.sh("tar -C #{job_dir} -xf #{job_tgz} 2>&1", :on_error => :return)` [ref_id=1].
What the fix does
The advisory recommends upgrading BOSH Director to version v282.1.12 or later to address this vulnerability. While a specific patch diff is not provided, the fix likely involves sanitizing or escaping the job name before it is interpolated into the shell command, preventing the interpretation of shell metacharacters [ref_id=1].
Preconditions
- authAuthenticated user with `bosh.releases.upload` scope.
- inputCrafted release tarball with a malicious job name in `release.MF` and a corresponding tar entry.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.