CVE-2026-41011: BOSH Shell Injection in Package Upload Validation
BOSH (the Cloud Foundry deployment automation framework) contains a shell injection vulnerability in its package validation logic. When a user uploads a release tarball containing a malicious package name, the system executes that name as a shell command without sanitization. An authenticated attacker with upload privileges can inject arbitrary commands that run with BOSH director privileges. The vulnerability exists because validation occurs after the dangerous shell operation, not before.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
PackagePersister.validate_tgz builds "tar -tf #{tgz} 2>&1" where tgz = File.join(release_dir, 'packages', "#{name}.tgz") and name = package_meta['name'] comes directly from release.MF inside the uploaded tarball. The string is passed to Bosh::Common::Exec.sh, which executes via %x{} — i.e., /bin/sh -c. No Shellwords.escape is applied. The Models::Package Sequel validation (VALID_ID = /^[-0-9A-Za-z_+.]+$/i) would reject the name, but in create_package (lines 74–79) the shell-out in save_package_source_blob runs before package.save, so validation fires too late. Affected versions: - BOSH: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41011 is a command injection flaw in BOSH's PackagePersister.validate_tgz method. The vulnerable code path accepts a package name from release.MF (the manifest inside an uploaded tarball), constructs a tar command string via File.join, and passes it directly to Bosh::Common::Exec.sh using Ruby's %x{} operator (which invokes /bin/sh -c). No shell escaping is applied via Shellwords.escape(). Although Models::Package defines a regex validation (VALID_ID = /^[-0-9A-Za-z_+.]+$/i) that would reject most special characters, the validation runs via package.save() at lines 74–79, which occurs after create_package has already invoked save_package_source_blob and executed the unvalidated tar command. This timing issue allows shell metacharacters in the package name to break out of the intended tar invocation.
Business impact
BOSH directors are typically privileged infrastructure nodes with broad access to cloud environments, cryptographic material, and deployment credentials. Exploitation allows an authenticated package uploader to execute arbitrary shell commands on the director, potentially leading to theft of operator credentials, modification or deletion of deployments, lateral movement into the managed infrastructure, and denial of service. Organizations relying on BOSH for Kubernetes clusters, Cloud Foundry, or other critical workloads face severe operational risk.
Affected systems
All BOSH versions prior to v282.1.12 are vulnerable. The issue affects any BOSH director instance that allows authenticated users to upload release packages. Patched versions v282.1.12 and later include mitigations. CloudFoundry users, BOSH operators managing heterogeneous infrastructure, and organizations running custom BOSH releases should verify their deployed version immediately.
Exploitability
The attack requires authentication and upload privileges (high privilege bar), but once inside, exploitation is straightforward: craft a release tarball with a shell metacharacter in the package name field of release.MF, upload it, and the director executes the injected command. No user interaction or network connectivity from outside is needed. The attacker gains execution in the security context of the BOSH director process. The CVSS score of 8.2 (HIGH) reflects high impact on confidentiality, integrity, and availability, offset slightly by the local attack vector and high privilege requirement.
Remediation
Apply BOSH v282.1.12 or later immediately. Verify the upgrade before deploying new releases. Until patching is complete, restrict package upload permissions to highly trusted operators and implement network segmentation to limit access to the BOSH director API endpoint. Monitor logs for suspicious package uploads containing shell metacharacters or unusual package names.
Patch guidance
Upgrade BOSH to v282.1.12 or any version released after the fix. Consult the official BOSH release notes and your vendor advisory to confirm patch applicability to your deployment model (BOSH Lite, on-premises, managed service, etc.). Test the upgrade in a staging environment to ensure compatibility with existing releases and deployments before production rollout.
Detection guidance
Review package upload logs and release manifests for package names containing characters outside the expected alphanumeric + dash/underscore/plus/dot set. Watch for tar errors or unexpected process execution during package uploads. Enable audit logging on the BOSH director and alert on commands executed from the package persistence layer. Search for patterns like $(…), `…`, |, &, ;, >, <, or newlines in package name fields extracted from release.MF metadata.
Why prioritize this
HIGH severity due to the combination of direct OS command execution, broad impact scope (director-level compromise), and relative ease of exploitation for authenticated users. While the privilege requirement mitigates blast radius, insiders or users with legitimate upload access pose significant risk. The fix is available and straightforward to apply, making immediate patching the clear priority.
Risk score, explained
CVSS 8.2 reflects: (1) Local Attack Vector (L) — attacker must authenticate and upload to the director; (2) Low Complexity (L) — no race conditions or user traps; (3) High Privilege Required (H) — reduces score from 9.x range; (4) Changed Scope (C) — command execution can affect other processes and system stability; (5) High CIA impact (H/H/H) — full compromise of director confidentiality, integrity, availability. The score correctly penalizes the privilege gate but reflects the severity of unrestricted command execution at the infrastructure layer.
Frequently asked questions
Do I need upload privileges to exploit this?
Yes. The attacker must authenticate to the BOSH director API and possess the permission to upload release packages. This is a privileged operation, but in many environments multiple operators or CI/CD systems hold this permission.
Can an unauthenticated user on the network exploit this?
No. The attack vector is Local (AV:L) and requires prior authentication and upload authorization. This significantly reduces the ambient risk surface compared to a remote unauthenticated flaw.
Does this affect only Cloud Foundry?
No. BOSH is a generic Infrastructure-as-Code automation framework. It is used by Cloud Foundry, Kubernetes operators, and many other projects. Any BOSH deployment prior to v282.1.12 that accepts package uploads is at risk.
What should I do while we prepare the upgrade?
Immediately audit who has package upload permissions and ensure only trusted, well-monitored accounts retain that privilege. Implement network access controls to limit who can reach the BOSH director API. Review recent release uploads for suspicious package names. Test the v282.1.12 upgrade in a non-production environment and plan a maintenance window for rollout.
This analysis is based on the published CVE description and CVSS scoring. Verify patch version numbers and availability directly with official BOSH release channels and your vendor's security advisory. SEC.co does not provide legal or regulatory advice; consult your compliance and security teams regarding risk tolerance and remediation timelines for your organization. No proof-of-concept code or exploitation details are provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-41281HIGHWaterfall WF-500 OS Command Injection
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability