Skip to main content

Cloud Foundry UAA EUVDEUVD-2026-42518

| CVE-2026-47840 CRITICAL
2026-07-09 vmware GHSA-rh75-5vxf-83m5
9.3
CVSS 4.0 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
9.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.4 HIGH

MITM position is a real prerequisite so AC:H rather than the vendor's AC:L; no auth needed (PR:N); password capture gives C:H and forged admin scopes give I:H, with no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jul 09, 2026 - 08:01 EUVD
Analysis Generated
Jul 09, 2026 - 07:24 vuln.today
Severity Changed
Jul 09, 2026 - 07:22 NVD
HIGH CRITICAL
CVSS changed
Jul 09, 2026 - 07:22 NVD
7.5 (HIGH) 9.3 (CRITICAL)

DescriptionCVE.org

A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user password sent during simple-bind authentication, and return forged group memberships that grant themselves admin scopes. This affects every deployment that authenticates users against LDAP over StartTLS. Affected versions: UAA versions prior to v78.13.0; Cf-deployment versions prior to v56.2.0.

AnalysisAI

Adversary-in-the-middle credential theft and privilege escalation affects Cloud Foundry UAA (User Account and Authentication server) prior to v78.13.0 and cf-deployment prior to v56.2.0, where LDAP StartTLS unconditionally disables TLS hostname verification. An attacker positioned on the network path between UAA and its LDAP directory can present any certificate issued by any trusted CA to impersonate the directory, harvesting the LDAP bind password plus every end-user password submitted during simple-bind authentication and injecting forged group memberships that grant attacker-controlled admin scopes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain MITM position on UAA-to-LDAP segment
Delivery
Present any trusted-CA certificate at StartTLS
Exploit
UAA skips hostname verification, session accepted
Execution
Harvest LDAP bind and user simple-bind passwords
Persist
Return forged group memberships granting admin scopes
Impact
Escalate to platform administrator access

Vulnerability AssessmentAI

Exploitation Exploitation requires the deployment to authenticate users against LDAP over StartTLS using simple-bind - that specific configuration is the trigger, and deployments not using LDAP StartTLS are unaffected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor (VMware/Cloud Foundry Foundation) scored this CVSS 4.0 9.3 with AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H, reflecting unauthenticated network reach and high confidentiality and integrity impact (password harvesting plus admin-scope forgery). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who gains a foothold on the network segment between UAA and the corporate LDAP server (via ARP spoofing, rogue DHCP/DNS, or a compromised switch/router) presents a valid-but-unrelated certificate signed by any trusted CA. UAA accepts it because hostname verification is disabled, so the attacker relays or terminates the StartTLS session, captures the LDAP bind password and each user's plaintext simple-bind password, and returns a crafted directory response asserting attacker-chosen group memberships. …
Remediation Vendor-released patch: upgrade UAA to v78.13.0 or later, and cf-deployment to v56.2.0 or later, per the Cloud Foundry advisory (https://www.cloudfoundry.org/blog/cve-2026-47840-ldap-starttls-unconditionally-disables-hostname-verification/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Cloud Foundry deployments and determine UAA and cf-deployment versions (vulnerable: UAA prior to v78.13.0, cf-deployment prior to v56.2.0). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42518 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy