CVE-2026-41859

Vulnerability

A network man-in-the-middle vulnerability exists in BOSH director due to the Net::HTTP client being configured with verify_mode = OpenSSL::SSL::VERIFY_NONE for director calls. This affects all versions of BOSH prior to v282.1.9. The UsersSync#bosh_api_response_body method makes these calls, and the unauthenticated /info response is used by NATSSync::AuthProvider to send the UAA client secret over an unverified channel [1].

Exploitation

An attacker positioned as a network man-in-the-middle between nats-sync and the BOSH director can intercept traffic. By exploiting the lack of TLS verification, the attacker can steal the director credentials, such as the Basic auth header or UAA client secret, which are sent over the unverified channel. Additionally, the attacker can tamper with the VM list that is written into the NATS authorization file by manipulating the director's response [1].

Impact

Successful exploitation allows an attacker to gain administrative director access by stealing the director credentials. Furthermore, the attacker can tamper with the VM list in the NATS authorization file, potentially leading to unauthorized access or control over virtual machines managed by BOSH. This results in a compromise of confidentiality, integrity, and availability [1].

Mitigation

Users of affected BOSH versions are strongly encouraged to upgrade to BOSH version v282.1.9 or later. This fix was released on or after June 1st, 2026. No other mitigations are disclosed in the available references [1].