CVE-2026-41704
MediumCVSS 5.0Summary
CVE-2026-41704 affects BOSH Director, where the AgentClient#handle_method processes NATS replies, leading to unauthorized access to resources in the blobstore. The lack of proper checks, such as UUID format validation, ownership verification, and namespace prefix checks, allows unauthorized deletion of resources.
Risk Assessment
The organization may be exposed to unauthorized deletion of resources in the blobstore, potentially leading to data loss and disruption of system operations. Specifically, the lack of access controls over resources could result in serious security incidents.
Recommendation
It is recommended to upgrade BOSH Director to version v282.1.12 or later to mitigate this vulnerability. Additionally, implementing further access controls for resources in the blobstore is advisable.
Original NVD description (English source)
AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338) and passes it to download_and_delete_blob. Separately, any response containing 'exception' goes through format_exception (lines 308-325), which reads exception['blobstore_id'] and also calls download_and_delete_blob. That helper (lines 344-349) calls ResourceManager#get_resource(blob_id) and, in an ensure block, ResourceManager#delete_resource(blob_id). ResourceManager (resource_manager.rb:62-70) calls blobstore.delete(id) on the single shared Director blobstore with no UUID-format check, no ownership check, and no namespace prefix. Affected versions: BOSH Director: All versions prior to v282.1.12

