MEDIUM
Cloud Foundry Foundation
CVE published 2026-05-27
CVE-2026-41009
A path traversal vulnerability in BOSH Director's local blobstore provider allows authenticated agents to read or delete arbitrary files on the director host. When processing long-running request responses (e.g., compile_package), the director passes agent-supplied blob identifiers unmodified to the local blobstore client. The LocalClient#object_file_path method constructs file paths via simple string con [truncated]