PatchSiren cyber security CVE debrief
CVE-2026-41009 Cloud Foundry Foundation CVE debrief
A path traversal vulnerability in BOSH Director's local blobstore provider allows authenticated agents to read or delete arbitrary files on the director host. When processing long-running request responses (e.g., compile_package), the director passes agent-supplied blob identifiers unmodified to the local blobstore client. The LocalClient#object_file_path method constructs file paths via simple string concatenation without normalization, enabling directory traversal sequences (e.g., ../../jobs/director/config/director.yml) to escape the blobstore root directory. This affects all BOSH Director versions prior to v282.1.12 when configured with the local blobstore provider.
- Vendor
- Cloud Foundry Foundation
- Product
- BOSH Director
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running BOSH Director with local blobstore configuration, particularly Cloud Foundry platform operators and teams managing multi-tenant BOSH environments where agent compromise or malicious agent deployment is a concern
Technical summary
The vulnerability exists in the interaction between AgentClient and the local blobstore implementation. When the director processes agent responses for long-running tasks, methods inject_compile_log (lines 332-339) and format_exception (lines 318-325) extract blob identifiers from agent-controlled JSON fields (response['value']['result']['compile_log_id'] and exception['blobstore_id']). These identifiers pass through download_and_delete_blob (lines 344-349) to Api::ResourceManager, which forwards them directly to the blobstore layer. In Blobstore::LocalClient, the object_file_path method (local_client.rb:54-56) implements path construction as File.join(@blobstore_path, oid) without sanitization or normalization. An attacker controlling a BOSH agent can supply a malicious oid value containing directory traversal sequences (e.g., ../../jobs/director/config/director.yml) to access or delete files outside the intended blobstore directory. The ensure block in download_and_delete_blob guarantees deletion occurs even if read operations fail, enabling both information disclosure and integrity impact.
Defensive priority
medium
Recommended defensive actions
- Upgrade BOSH Director to v282.1.12 or later
- If immediate patching is not feasible, avoid using the local blobstore provider; migrate to an external blobstore backend (e.g., S3, GCS, or Azure Blob Storage)
- Review director host filesystem permissions to limit blast radius of potential file access
- Monitor director logs for anomalous blob access patterns involving path-like identifiers
- Audit agent certificates and authentication to ensure only authorized agents can communicate with the director
Evidence notes
Vulnerability description confirms path traversal via unnormalized oid parameter in Blobstore::LocalClient#object_file_path. CVSS 4.0 vector (AV:L/AC:H/AT:P/PR:H/UI:P/VC:N/VI:H/VA:L) reflects local attack vector with high privileges required. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) assigned by VMware security team.
Official resources
-
CVE-2026-41009 CVE record
CVE.org
-
CVE-2026-41009 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27