PatchSiren

CloudFoundry BOSH CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH CloudFoundry BOSH CVE published 2026-07-09

CVE-2026-41857

A compromised or malicious BOSH Director can execute arbitrary shell commands on the operator's workstation when the operator runs bosh ssh (or bosh scp/bosh logs -f) with default flags. This issue affects BOSH CLI versions prior to 7.10.5. The vulnerability arises from the BOSH CLI's handling of ssh commands, allowing a malicious director to inject commands. Users of Cloudfoundry Bosh Cli should be aware [truncated]