Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Malicious blobs.yml is network-delivered but the operator must run the CLI to sync it (UI:R), no auth needed (PR:N); traversal enables file write (I:H) and file exfiltration (C:H) with no availability impact.
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information. Affected versions: BOSH CLI tool versions prior to v7.10.4.
AnalysisAI
Arbitrary file write and information disclosure in the Cloud Foundry BOSH CLI tool (versions prior to v7.10.4) stems from insufficient sanitization of the path key inside blobs.yml, letting a crafted release blob spec escape the intended blobstore directory. When an operator syncs or downloads blobs from a malicious or tampered release, the CLI can write files to attacker-controlled locations on the host and expose sensitive files. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to run the BOSH CLI against a release whose config/blobs.yml contains a maliciously crafted path key with directory-traversal sequences - i.e., an operator or CI/CD job must sync, download, or otherwise process an attacker-supplied or tampered release (UI:A). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N) describes a network-delivered, low-complexity, unauthenticated issue with high confidentiality and integrity impact but no availability impact, gated by user/operator interaction (UI:A) - the victim must run the CLI against a malicious blobs.yml. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes or tampers with a BOSH release so its config/blobs.yml contains a path key with traversal sequences pointing outside the blobstore directory. When an operator or CI pipeline runs the BOSH CLI to sync/download that release's blobs, the CLI writes attacker-controlled files to arbitrary host locations and can expose sensitive files, potentially leading to code execution or credential theft depending on the write target. … |
| Remediation | Vendor-released patch: v7.10.4 - upgrade the BOSH CLI to v7.10.4 or later on all operator workstations and CI/CD runners, per the Cloud Foundry advisory (https://www.cloudfoundry.org/blog/cve-2026-47826-blobs-yaml-path-traversal-allows-file-writes/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 HOURS: Audit all deployed BOSH CLI versions; document which systems run versions prior to v7.10.4 and whether they've accessed external or untrusted release sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42507
GHSA-j722-97vw-3p9m