Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
MITM position is a real prerequisite so AC:H rather than the vendor's AC:L; no auth needed (PR:N); password capture gives C:H and forged admin scopes give I:H, with no availability impact.
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user password sent during simple-bind authentication, and return forged group memberships that grant themselves admin scopes. This affects every deployment that authenticates users against LDAP over StartTLS. Affected versions: UAA versions prior to v78.13.0; Cf-deployment versions prior to v56.2.0.
AnalysisAI
Adversary-in-the-middle credential theft and privilege escalation affects Cloud Foundry UAA (User Account and Authentication server) prior to v78.13.0 and cf-deployment prior to v56.2.0, where LDAP StartTLS unconditionally disables TLS hostname verification. An attacker positioned on the network path between UAA and its LDAP directory can present any certificate issued by any trusted CA to impersonate the directory, harvesting the LDAP bind password plus every end-user password submitted during simple-bind authentication and injecting forged group memberships that grant attacker-controlled admin scopes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the deployment to authenticate users against LDAP over StartTLS using simple-bind - that specific configuration is the trigger, and deployments not using LDAP StartTLS are unaffected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor (VMware/Cloud Foundry Foundation) scored this CVSS 4.0 9.3 with AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H, reflecting unauthenticated network reach and high confidentiality and integrity impact (password harvesting plus admin-scope forgery). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who gains a foothold on the network segment between UAA and the corporate LDAP server (via ARP spoofing, rogue DHCP/DNS, or a compromised switch/router) presents a valid-but-unrelated certificate signed by any trusted CA. UAA accepts it because hostname verification is disabled, so the attacker relays or terminates the StartTLS session, captures the LDAP bind password and each user's plaintext simple-bind password, and returns a crafted directory response asserting attacker-chosen group memberships. … |
| Remediation | Vendor-released patch: upgrade UAA to v78.13.0 or later, and cf-deployment to v56.2.0 or later, per the Cloud Foundry advisory (https://www.cloudfoundry.org/blog/cve-2026-47840-ldap-starttls-unconditionally-disables-hostname-verification/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Cloud Foundry deployments and determine UAA and cf-deployment versions (vulnerable: UAA prior to v78.13.0, cf-deployment prior to v56.2.0). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in Cloud Foundry UAA (User Account and Authentication) versions 2.0.0 through 78.13.0 allows remot
An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior t
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42518
GHSA-rh75-5vxf-83m5