PatchSiren

BOSH-Ecosystem / BOSH (bosh-cli) CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH BOSH-Ecosystem / BOSH (bosh-cli) CVE published 2026-07-09

CVE-2026-47828

During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint is available in the installation manifest. A network attacker can terminate the TLS connection, harvest the Basic-auth credentials, and read the rendered-templates archi [truncated]