CVE-2026-41704

AgentClient#handle method (lines 264-303) processes every NATS reply. It calls inject compile log (line 273) on every response, which reads response['value']['result']['compile log id'] (line 332-338) and passes it to download and delete blob. Separately, any response containing 'exception' goes through format exception (lines 308-325), which reads exception['blobstore id'] and also calls download and delete blob. That helper (lines 344-349) calls ResourceManager#get resource(blob id) and, in an ensure block, ResourceManager#delete resource(blob id). ResourceManager (resource manager.rb:62-70) calls blobstore.delete(id) on the single shared Director blobstore with no UUID-format check, no ownership check, and no namespace prefix.

Affected versions: BOSH Director: All versions prior to v282.1.12