CVE-2026-41860

CVSS v3.1

8.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create async endpoint and #send http get request synchronous hard-code OpenSSL::SSL::VERIFY NONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA and steal credentials.

Affected versions:

BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later

Fix

Inadequate Encryption Strength

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-326

Related Identifiers

CVE-2026-41860

Affected Products

Bosh

CVE-2026-41860

Weakness Enumeration

Related Identifiers

Affected Products

References · 2