CVE Catalog

CVE-2026-41704

MediumCVSS 5.0
Published: Updated: Translated: NVD NIST

Summary

CVE-2026-41704 affects BOSH Director, where the AgentClient#handle_method processes NATS replies, leading to unauthorized access to resources in the blobstore. The lack of proper checks, such as UUID format validation, ownership verification, and namespace prefix checks, allows unauthorized deletion of resources.

Risk Assessment

The organization may be exposed to unauthorized deletion of resources in the blobstore, potentially leading to data loss and disruption of system operations. Specifically, the lack of access controls over resources could result in serious security incidents.

Recommendation

It is recommended to upgrade BOSH Director to version v282.1.12 or later to mitigate this vulnerability. Additionally, implementing further access controls for resources in the blobstore is advisable.

Original NVD description (English source)

AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338) and passes it to download_and_delete_blob. Separately, any response containing 'exception' goes through format_exception (lines 308-325), which reads exception['blobstore_id'] and also calls download_and_delete_blob. That helper (lines 344-349) calls ResourceManager#get_resource(blob_id) and, in an ensure block, ResourceManager#delete_resource(blob_id). ResourceManager (resource_manager.rb:62-70) calls blobstore.delete(id) on the single shared Director blobstore with no UUID-format check, no ownership check, and no namespace prefix. Affected versions: BOSH Director: All versions prior to v282.1.12

Vulnerability data from NVD (NIST) · CISA KEV · EPSS