By weakness (CWE)

CWE-326: related vulnerabilities

CVEs classified under CWE-326. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

1 published vulnerability

  • CVE-2026-41860HIGH 8.8

    BOSH, a widely-used Infrastructure-as-Code and deployment orchestration platform, contains a flaw in how it validates SSL/TLS certificates when communicating with internal services like the BOSH director and UAA (User Account and Authentication). Specifically, the HttpRequestHelper component explicitly disables certificate verification (VERIFY_NONE), which means an attacker with local access to the network can intercept and eavesdrop on these communications. This allows stealing Basic authentication credentials or session tokens, potentially granting unauthorized access to your deployment infrastructure. The vulnerability affects all BOSH versions up through v282.1.8; version 282.1.9 and later include the fix.