Skip to main content

BOSH CLI CVE-2026-47826

| EUVDEUVD-2026-42507 HIGH
Path Traversal (CWE-22)
2026-07-09 vmware GHSA-j722-97vw-3p9m
8.5
CVSS 4.0 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Malicious blobs.yml is network-delivered but the operator must run the CLI to sync it (UI:R), no auth needed (PR:N); traversal enables file write (I:H) and file exfiltration (C:H) with no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 08:01 EUVD
Analysis Generated
Jul 09, 2026 - 07:15 vuln.today

DescriptionCVE.org

The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information. Affected versions: BOSH CLI tool versions prior to v7.10.4.

AnalysisAI

Arbitrary file write and information disclosure in the Cloud Foundry BOSH CLI tool (versions prior to v7.10.4) stems from insufficient sanitization of the path key inside blobs.yml, letting a crafted release blob spec escape the intended blobstore directory. When an operator syncs or downloads blobs from a malicious or tampered release, the CLI can write files to attacker-controlled locations on the host and expose sensitive files. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft blobs.yml with traversal path key
Delivery
Publish/tamper malicious BOSH release
Exploit
Operator runs CLI blob sync
Execution
Path key escapes blobstore directory
Impact
Write arbitrary files and exfiltrate sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to run the BOSH CLI against a release whose config/blobs.yml contains a maliciously crafted path key with directory-traversal sequences - i.e., an operator or CI/CD job must sync, download, or otherwise process an attacker-supplied or tampered release (UI:A). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N) describes a network-delivered, low-complexity, unauthenticated issue with high confidentiality and integrity impact but no availability impact, gated by user/operator interaction (UI:A) - the victim must run the CLI against a malicious blobs.yml. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes or tampers with a BOSH release so its config/blobs.yml contains a path key with traversal sequences pointing outside the blobstore directory. When an operator or CI pipeline runs the BOSH CLI to sync/download that release's blobs, the CLI writes attacker-controlled files to arbitrary host locations and can expose sensitive files, potentially leading to code execution or credential theft depending on the write target. …
Remediation Vendor-released patch: v7.10.4 - upgrade the BOSH CLI to v7.10.4 or later on all operator workstations and CI/CD runners, per the Cloud Foundry advisory (https://www.cloudfoundry.org/blog/cve-2026-47826-blobs-yaml-path-traversal-allows-file-writes/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 HOURS: Audit all deployed BOSH CLI versions; document which systems run versions prior to v7.10.4 and whether they've accessed external or untrusted release sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47826 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy