CVE Catalog

CVE-2026-41009

MediumCVSS 5.8
Published: Updated: Translated: NVD NIST

Summary

CVE-2026-41009 affects BOSH Director, where the agent's response to long-running requests may lead to unauthorized access to system files. Due to the lack of normalization of the blob identifier, it is possible to reference files outside the blobstore root.

Risk Assessment

The organization may be exposed to sensitive data leaks or unauthorized access to configuration files, potentially leading to serious security incidents.

Recommendation

It is recommended to update BOSH Director to version v282.1.12 or later to mitigate this vulnerability. Additionally, conducting an audit of file access in the system is advisable.

Original NVD description (English source)

When the director sends a long-running request (e.g. compile_package), the agent's reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response['value']['result']['compile_log_id'] and format_exception (line 318-325) reads exception['blobstore_id']; both pass the agent-supplied string unmodified to download_and_delete_blob(blob_id) (line 344-349), which calls @resource_manager.get_resource(blob_id) and, in an ensure block, @resource_manager.delete_resource(blob_id). Api::ResourceManager forwards the id straight to blobstore.get(id) / blobstore.delete(id). When the director is configured with the local blobstore provider, Blobstore::LocalClient#object_file_path(oid) is File.join(@blobstore_path, oid) (local_client.rb:54-56) with no normalisation, so oid = "../../jobs/director/config/director.yml" resolves outside the blobstore root. Affected versions: BOSH Director: All versions prior to v282.1.12

Vulnerability data from NVD (NIST) · CISA KEV · EPSS