PT-2026-43566 · Cloud Foundry Foundation+2 · Bosh Director+1

Published

2026-05-27

·

Updated

2026-06-08

·

CVE-2026-41009

CVSS v3.1

5.8

Medium

VectorAV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:L
Name of the Vulnerable Software and Affected Versions BOSH Director versions prior to v282.1.12
Description When the director sends a long-running request, such as compile package, the agent's reply JSON is processed by AgentClient. The functions inject compile log() and format exception() read the compile log id and blobstore id from the response and pass these agent-supplied strings unmodified to download and delete blob(blob id). This function subsequently calls @resource manager.get resource(blob id) and @resource manager.delete resource(blob id), which forward the ID to blobstore.get(id) and blobstore.delete(id). If the director uses the local blobstore provider, Blobstore::LocalClient#object file path(oid) uses File.join(@blobstore path, oid) without normalization. This allows an attacker to use a path like ../../jobs/director/config/director.yml to resolve files outside the blobstore root.
Recommendations Update BOSH Director to version v282.1.12 or later.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-41009

Affected Products

Bosh Director
Bosh