PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47828 BOSH-Ecosystem / BOSH (bosh-cli) CVE debrief

During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint is available in the installation manifest. A network attacker can terminate the TLS connection, harvest the Basic-auth credentials, and read the rendered-templates archive containing every bootstrap secret for the new BOSH Director, then replay the credentials against the real VM's agent for root code execution. This vulnerability allows for potential root code execution via man-in-the-middle credential replay.

Vendor
BOSH-Ecosystem / BOSH (bosh-cli)
Product
bosh-cli
CVSS
HIGH 8.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-13
Advisory published
2026-07-09
Advisory updated
2026-07-13

Who should care

Users of BOSH CLI versions prior to v7.10.4 should update to the latest version to prevent potential root code execution via man-in-the-middle credential replay. This affects operators, platform administrators, and security teams managing BOSH deployments.

Technical summary

The BOSH CLI is vulnerable to a man-in-the-middle attack due to missing TLS certificate verification when uploading compiled CPI packages and rendered job templates to the new VM's DAV blobstore. This allows a network attacker to harvest Basic-auth credentials and read rendered-templates archives containing bootstrap secrets, which can be replayed against the real VM's agent for root code execution. Affected versions are prior to v7.10.4.

Defensive priority

High priority due to the potential for root code execution and high CVSS score of 8.9.

Recommended defensive actions

  • Update BOSH CLI to version 7.10.4 or later
  • Verify the server certificate when uploading to the DAV blobstore
  • Use a secure connection to the blobstore
  • Monitor for suspicious activity on the BOSH Director
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-09T07:16:23.990Z and last modified on 2026-07-13T13:35:57.873Z. The NVD entry is currently Analyzed. Evidence is limited to CVE and NVD information. Defenders should verify affected versions and update to v7.10.4 or later. Limited source detail is available.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T07:16:23.990Z and has not been modified since then. The NVD entry is currently Analyzed.