PT-2026-45516 · Cloud Foundry Foundation · Smb-Volume-Release+2

Published

2026-06-01

Updated

2026-06-02

CVE-2026-41013

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions smb-volume-release versions prior to v3.60.0 CF Deployment versions prior to v56.0.0

Description An input validation bypass exists in the SMB volume mount handling within CloudFoundry Foundation diego-release. This allows a low-privileged CF space developer to bypass the mount-option allowlist and inject arbitrary kernel CIFS mount options, leading to privilege escalation and the bypass of security controls on multi-tenant Diego cells.

Recommendations Update smb-volume-release to version v3.60.0 or later. Update CF Deployment to version v56.0.0 or later.

Fix

Argument Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-88

Related Identifiers

CVE-2026-41013

Affected Products

Cf-Deployment

Diego-Release

Smb-Volume-Release

PT-2026-45516 · Cloud Foundry Foundation · Smb-Volume-Release+2

CVE-2026-41013

Weakness Enumeration

Related Identifiers

Affected Products

References · 3