CVE-2026-41009
MediumCVSS 5.8Summary
CVE-2026-41009 affects BOSH Director, where the agent's response to long-running requests may lead to unauthorized access to system files. Due to the lack of normalization of the blob identifier, it is possible to reference files outside the blobstore root.
Risk Assessment
The organization may be exposed to sensitive data leaks or unauthorized access to configuration files, potentially leading to serious security incidents.
Recommendation
It is recommended to update BOSH Director to version v282.1.12 or later to mitigate this vulnerability. Additionally, conducting an audit of file access in the system is advisable.
Original NVD description (English source)
When the director sends a long-running request (e.g. compile_package), the agent's reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response['value']['result']['compile_log_id'] and format_exception (line 318-325) reads exception['blobstore_id']; both pass the agent-supplied string unmodified to download_and_delete_blob(blob_id) (line 344-349), which calls @resource_manager.get_resource(blob_id) and, in an ensure block, @resource_manager.delete_resource(blob_id). Api::ResourceManager forwards the id straight to blobstore.get(id) / blobstore.delete(id). When the director is configured with the local blobstore provider, Blobstore::LocalClient#object_file_path(oid) is File.join(@blobstore_path, oid) (local_client.rb:54-56) with no normalisation, so oid = "../../jobs/director/config/director.yml" resolves outside the blobstore root. Affected versions: BOSH Director: All versions prior to v282.1.12

