HIGH 8.8

CVE-2026-41860: BOSH SSL/TLS Certificate Verification Bypass – Credential Theft Risk

BOSH, a widely-used Infrastructure-as-Code and deployment orchestration platform, contains a flaw in how it validates SSL/TLS certificates when communicating with internal services like the BOSH director and UAA (User Account and Authentication). Specifically, the HttpRequestHelper component explicitly disables certificate verification (VERIFY_NONE), which means an attacker with local access to the network can intercept and eavesdrop on these communications. This allows stealing Basic authentication credentials or session tokens, potentially granting unauthorized access to your deployment infrastructure. The vulnerability affects all BOSH versions up through v282.1.8; version 282.1.9 and later include the fix.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-326
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA and steal credentials. Affected versions: - BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from CWE-326 (Inadequate Encryption Strength) in BOSH's HttpRequestHelper class. The methods create_async_endpoint and send_http_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE when establishing HTTPS connections, disabling hostname and certificate chain validation entirely. An attacker positioned on the local network (or with access to shared network infrastructure) can perform a Man-in-the-Middle attack by presenting a self-signed or attacker-controlled certificate, which the BOSH client will accept without validation. Communication flows targeted include bosh-monitor to BOSH director interactions and UAA token requests, both of which transmit authentication credentials. With verification disabled, the attacker captures credentials in plaintext over the unvalidated TLS session.

Business impact

Compromise of BOSH credentials or UAA tokens leads to unauthorized control of infrastructure deployment and lifecycle management. An attacker gaining director-level access can redeploy, reconfigure, or delete deployments; modify or exfiltrate application data; and potentially pivot to hosted applications. If UAA tokens are stolen, an attacker gains authentication to any system trusting those tokens. For organizations running production workloads on BOSH-managed infrastructure, this translates to potential service disruption, data breach, and loss of availability. The risk is elevated in environments where network segmentation is weak or where multiple teams share infrastructure networks.

Affected systems

All BOSH releases prior to and including v282.1.8 are vulnerable. This includes on-premises BOSH deployments, Tanzu Application Service (TAS) implementations built on BOSH, and any custom deployments using affected BOSH versions. The vulnerability requires local or adjacent network access to intercept traffic, so air-gapped or highly segmented deployments face lower immediate risk. However, organizations running BOSH in cloud environments or shared data centers where network isolation is logical (rather than physical) should prioritize patching.

Exploitability

Exploitation requires local network access or a position on the network path between BOSH components (bosh-monitor, BOSH director, UAA). The attacker does not need elevated privileges on the BOSH systems themselves, only the ability to intercept traffic—a realistic scenario in shared infrastructure, compromised intermediate nodes, or misconfigured cloud network security groups. No user interaction is required; the vulnerability is triggered whenever the affected code path executes (e.g., bosh-monitor health checks, routine UAA authentication). The CVSS 3.1 score of 8.8 (HIGH) reflects local attack vector, low complexity, low privilege requirement, and high impact across confidentiality and integrity.

Remediation

Upgrade BOSH to version 282.1.9 or later. The fix re-enables proper SSL/TLS certificate verification in HttpRequestHelper. Organizations should verify that their BOSH director version matches the patched release before re-deploying monitoring agents and services. Additionally, implement network segmentation to restrict direct access to BOSH and UAA services to authorized systems only, and monitor for unexpected certificate validation errors during the transition period.

Patch guidance

Consult your BOSH vendor or distribution (e.g., Cloud Foundry, Tanzu) for the specific patched build and release schedule. The fix is present in BOSH v282.1.9 or any later release. When applying the patch, plan a maintenance window to restart bosh-monitor and any other components using HttpRequestHelper. Verify that SSL/TLS verification is now active by examining logs for successful certificate validation; any persistent verification failures may indicate misconfigured or self-signed certificates in your environment, which should be addressed separately. Test the patched version in a non-production environment first to ensure compatibility with your deployment's certificate infrastructure.

Detection guidance

In the patched version, enable debug logging on BOSH director and monitoring components to confirm that SSL/TLS certificate verification is occurring. In vulnerable versions, monitor network traffic between bosh-monitor and the BOSH director for unencrypted authentication headers or tokens; use packet capture or TLS decryption appliances to inspect for plaintext credentials in sessions where certificate validation was bypassed. Check BOSH component logs for any unexpected connection failures or certificate errors, which could indicate an attacker's intervention. Network IDS/IPS rules should flag unexpected self-signed certificates or hostname mismatches on these internal communication paths.

Why prioritize this

This vulnerability should be prioritized highly in any organization running BOSH. The CVSS 8.8 score, combined with the simplicity of local exploitation and the high-value nature of BOSH credentials, makes this a tier-1 remediation target. Attackers with network access can gain broad infrastructure control. The fix is straightforward (upgrade to 282.1.9+) and carries low regression risk, making it an ideal early patching candidate. Prioritize production BOSH directors first, then staging and development environments.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects: (1) Local Attack Vector—the attacker must be on the network or network path, not remote, reducing the risk pool but not eliminating it in cloud or shared environments; (2) Low Attack Complexity—no special tools or timing required, just network positioning; (3) Low Privileges Required—no prior compromise of BOSH systems needed; (4) High Confidentiality Impact—credentials and tokens are stolen; (5) High Integrity Impact—tokens can be used to modify deployments; (6) High Availability Impact—stolen director access enables shutdown of services. The lack of active exploitation in the wild (KEV not listed) slightly reduces urgency, but the technical ease and high blast radius warrant immediate action.

Frequently asked questions

Does this vulnerability allow remote code execution?

No, this vulnerability enables credential theft via Man-in-the-Middle attacks on local or adjacent networks. Remote attackers without network access cannot exploit it directly. However, stolen credentials or tokens could enable further attacks. Always assume that credential compromise may lead to indirect remote access.

Do I need to worry about this if my BOSH is behind a firewall?

Network segmentation reduces risk but does not eliminate it. If an attacker compromises any system on the same network segment as BOSH, or if your firewall permits lateral movement, the vulnerability remains exploitable. Patching is still essential as a defense-in-depth measure.

What is the difference between upgrading to 282.1.9 and just using self-signed certificates?

Self-signed certificates do not fix the underlying issue; the vulnerability is that certificate validation is disabled entirely. Upgrading to 282.1.9 re-enables validation, meaning your certificates (self-signed or CA-issued) will be checked for validity and hostname matching. This prevents MITM attacks even if the attacker can insert a malicious certificate into the network.

Will patching require downtime?

Yes, patching requires restarting BOSH components that use HttpRequestHelper, typically including bosh-monitor and the BOSH director. Plan a maintenance window and test in a non-production environment first. The downtime is usually brief if you have a single director, but distributed deployments may allow rolling restarts to minimize impact.

This analysis is provided for informational purposes and reflects the vulnerability details as published. Security risk assessments should be tailored to your specific environment and threat model. Always consult official vendor advisories and patch release notes before deploying updates. SEC.co makes no warranty regarding the timeliness or completeness of patch availability across all BOSH distributions. Organizations should conduct thorough testing in non-production environments before rolling patches into production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).