CVE-2026-41860

Vulnerability

CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via Man-in-the-Middle (MITM) attacks. The HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous methods hard-code OpenSSL::SSL::VERIFY_NONE, which disables SSL certificate verification. This enables an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA. All BOSH versions prior to v282.1.9 are affected [1].

Exploitation

A local attacker can exploit this vulnerability by intercepting network traffic between bosh-monitor and the BOSH director or UAA. By leveraging the disabled SSL verification, the attacker can perform a MITM attack to steal Basic-auth credentials or redirect UAA token requests. No specific user interaction or elevated privileges beyond local access are required [1].

Impact

Successful exploitation allows a local attacker to steal sensitive Basic-auth credentials and potentially redirect UAA token requests. This can lead to unauthorized access to BOSH resources and compromise the confidentiality and integrity of the system. The scope of the compromise can be significant, affecting the BOSH director and UAA services [1].

Mitigation

Users of affected BOSH products are strongly encouraged to upgrade to BOSH version v282.1.9 or later. This fix addresses the vulnerability by correctly implementing SSL certificate verification. No other workarounds are mentioned in the available references. The Cloud Foundry Foundation recommends upgrading to the fixed version [1].