Skip to main content

Cloud Foundry UAA CVE-2026-40965

| EUVD-2026-33817 CRITICAL
Information Exposure (CWE-200)
2026-06-01 vmware GHSA-qc5f-2h9q-7m2g
Information Disclosure Uaa Release Cf Deployment
10.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 01, 2026 - 23:02 EUVD
Analysis Generated
Jun 01, 2026 - 22:15 vuln.today

DescriptionCVE.org

Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC (Elliptic Curve) private keys are inadvertently exposed through the public /token_keys endpoint. This endpoint is designed to provide public key material for JWT token verification but incorrectly exposes private key components for EC keys. The vulnerability affects deployments using EC keys for JWT token signing. The vulnerability does not affect RSA key configurations, only deployments using EC keys for JWT signing.

Affected versions:

  • uaa_release: v76.12.0 through v78.12.0 (inclusive); fixed in v78.13.0 or later
  • CF Deployment: v30.0.0 through v56.0.0 (inclusive); fixed in v56.1.0 or later (bundles uaa_release v78.13.0)

AnalysisAI

Private key disclosure in Cloud Foundry UAA versions v76.12.0 through v78.12.0 allows unauthenticated remote attackers to retrieve Elliptic Curve (EC) private key material from the public /token_keys endpoint, which is supposed to expose only public verification keys. With the leaked private keys, attackers can forge arbitrary JWTs and impersonate any UAA-authenticated identity across the platform. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify UAA host and EC signing config
Delivery
GET /token_keys unauthenticated
Exploit
Extract EC private key 'd' parameter
Execution
Forge admin-scoped JWT
Persist
Call privileged CF/UAA APIs
Impact
Full platform compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must be a Cloud Foundry UAA instance running uaa_release v76.12.0-v78.12.0 (or cf-deployment v30.0.0-v56.0.0) AND configured to use EC (Elliptic Curve) keys for JWT token signing - RSA-signed deployments are not affected, which is a meaningful limiter because RSA is the historical default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and severe: CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L describes a network-reachable, no-auth, no-interaction flaw with scope change, which fits exactly - the leaked key compromises every resource server that trusts UAA-signed JWTs, not just UAA itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker on the network discovers an affected UAA instance, issues a single HTTP GET to https://<uaa-host>/token_keys, and parses the returned JWK Set to extract the EC private key's 'd' parameter. Using that private key, the attacker mints a JWT impersonating any user or client (including platform admins) with arbitrary scopes and presents it to any service in the foundation that trusts UAA-signed tokens, achieving full platform compromise. …
Remediation Vendor-released patch: upgrade uaa_release to v78.13.0 or later, or upgrade cf-deployment to v56.1.0 or later (which bundles the fixed UAA), per https://www.cloudfoundry.org/blog/cve-2026-40965-uaa-ec-private-key-disclosure/. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Cloud Foundry UAA instances running versions v76.12.0 through v78.12.0; implement network access controls restricting the /token_keys endpoint to authorized internal services only; enable detailed logging of all /token_keys endpoint requests. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40965 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy