Skip to main content

Cloud Foundry diego-release CVE-2026-41013

| EUVD-2026-33727 HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-06-01 vmware GHSA-8h76-qw8h-fmjh
Privilege Escalation Smb Volume Release Cf Deployment
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 01, 2026 - 21:24 vuln.today
CVSS changed
Jun 01, 2026 - 21:22 NVD
8.1 (HIGH)
Patch available
Jun 01, 2026 - 20:02 EUVD
CVE Published
Jun 01, 2026 - 17:36 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privilege escalation and security control bypass on multi-tenant Diego cells.

Affected versions: smb-volume-release: All versions prior to v3.60.0 CF Deployment: All versions prior to v56.0.0

AnalysisAI

Privilege escalation in Cloud Foundry smb-volume-release (prior to v3.60.0) and CF Deployment (prior to v56.0.0) lets a low-privileged CF space developer smuggle arbitrary CIFS mount options past the mount-option allowlist, gaining kernel-level mount control on shared Diego cells. The flaw maps to CWE-88 (argument injection) and carries CVSS 8.1 with low-privilege network exploitation; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain CF space-developer role
Delivery
Create or bind SMB volume service instance
Exploit
Inject comma-smuggled CIFS options past allowlist
Execution
Diego mounts share with attacker-controlled kernel options
Persist
Escalate privileges on shared Diego cell
Impact
Bypass tenant isolation and access other tenants' data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires (1) a Cloud Foundry foundation running smb-volume-release < v3.60.0 or CF Deployment < v56.0.0 with the smb-volume service broker registered and enabled in the marketplace, (2) at least one Diego cell configured to accept SMB volume mounts, and (3) attacker possession of CF space-developer privileges in any org/space permitted to create or bind SMB volume service instances. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N indicates a network-reachable, low-complexity attack that requires only a CF space-developer role - a role routinely granted to many internal users in shared CF foundations - and yields high confidentiality and integrity impact with no availability impact and unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A CF user with the space-developer role in any space on a multi-tenant foundation creates or binds an SMB volume service instance, supplying a mount-option value that embeds an extra comma-separated CIFS flag (for example, smuggling uid=0 or a credentials path) past the allowlist. When Diego mounts the share into a tenant container, the kernel CIFS client honors the smuggled options, giving the attacker effective privilege escalation and the ability to bypass tenant isolation controls on that cell. …
Remediation Apply the vendor-released patches: upgrade smb-volume-release to v3.60.0 or later and CF Deployment to v56.0.0 or later, per the Cloud Foundry advisory at https://www.cloudfoundry.org/blog/cve-2026-41013-tenant-controlled-comma-smuggles-arbitrary-cifs-mount-options/. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Cloud Foundry environments and confirm which systems run smb-volume-release prior to v3.60.0 or CF Deployment prior to v56.0.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-41013 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy