CVE-2026-41704: CWE-284 Improper Access Control in Cloud Foundry Foundation BOSH Director
AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338) and passes it to download_and_delete_blob. Separately, any response containing 'exception' goes through format_exception (lines 308-325), which reads exception['blobstore_id'] and also calls download_and_delete_blob. That helper (lines 344-349) calls ResourceManager#get_resource(blob_id) and, in an ensure block, ResourceManager#delete_resource(blob_id). ResourceManager (resource_manager.rb:62-70) calls blobstore.delete(id) on the single shared Director blobstore with no UUID-format check, no ownership check, and no namespace prefix. Affected versions: BOSH Director: All versions prior to v282.1.12
AI Analysis
Technical Summary
The vulnerability in BOSH Director involves the AgentClient#handle_method processing NATS replies and invoking download_and_delete_blob without sufficient validation. Specifically, ResourceManager calls blobstore.delete(id) on the shared Director blobstore without checking UUID format, ownership, or namespace prefix, leading to improper access control (CWE-284). This can allow deletion of arbitrary blobs by users with high privileges. The issue affects all BOSH Director versions prior to v282.1.12.
Potential Impact
An attacker with high privileges on BOSH Director could exploit this vulnerability to delete arbitrary blobs from the shared blobstore. This could result in loss of important data or disruption of Director operations relying on those blobs. The vulnerability requires high privileges and local access, limiting remote exploitation potential. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to users with high privileges on BOSH Director and monitor for suspicious deletion activity. Avoid using affected versions and plan to upgrade to v282.1.12 or later once a patch is released.
CVE-2026-41704: CWE-284 Improper Access Control in Cloud Foundry Foundation BOSH Director
Description
AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338) and passes it to download_and_delete_blob. Separately, any response containing 'exception' goes through format_exception (lines 308-325), which reads exception['blobstore_id'] and also calls download_and_delete_blob. That helper (lines 344-349) calls ResourceManager#get_resource(blob_id) and, in an ensure block, ResourceManager#delete_resource(blob_id). ResourceManager (resource_manager.rb:62-70) calls blobstore.delete(id) on the single shared Director blobstore with no UUID-format check, no ownership check, and no namespace prefix. Affected versions: BOSH Director: All versions prior to v282.1.12
CVSS v4.0
Score 6.8medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in BOSH Director involves the AgentClient#handle_method processing NATS replies and invoking download_and_delete_blob without sufficient validation. Specifically, ResourceManager calls blobstore.delete(id) on the shared Director blobstore without checking UUID format, ownership, or namespace prefix, leading to improper access control (CWE-284). This can allow deletion of arbitrary blobs by users with high privileges. The issue affects all BOSH Director versions prior to v282.1.12.
Potential Impact
An attacker with high privileges on BOSH Director could exploit this vulnerability to delete arbitrary blobs from the shared blobstore. This could result in loss of important data or disruption of Director operations relying on those blobs. The vulnerability requires high privileges and local access, limiting remote exploitation potential. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to users with high privileges on BOSH Director and monitor for suspicious deletion activity. Avoid using affected versions and plan to upgrade to v282.1.12 or later once a patch is released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-04-22T06:21:34.489Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a16a55fe29bf47b50a642a0
Added to database: 5/27/2026, 8:03:43 AM
Last enriched: 5/27/2026, 8:19:21 AM
Last updated: 5/28/2026, 8:33:00 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.