highCVE-2026-41857

BOSH CLI Compromised Director Operator Workstation Command Execution Vulnerability

A compromised or malicious BOSH Director can execute arbitrary shell commands on the operator's workstation when the operator runs bosh ssh (or bosh scp/bosh logs -f) with default flags. Affected versions: BOSH CLI versions prior to 7.10.5.

ProductBOSH CLI
CVSS7.1
EPSS0.00148
UpdatedJuly 10, 2026

Quick answer

Cloud Foundry Foundation BOSH CLI should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • BOSH CLI versions prior to 7.10.5

Fixed versions

  • 7.10.5

How to fix it

BOSH CLI before 7.10.5 could allow a compromised BOSH Director to trigger command execution on an operator workstation through SSH, SCP, or log-follow workflows. Upgrade the CLI and treat affected operator endpoints as a possible compromise boundary.

  1. Inventory BOSH CLI versions on operator workstations, jump hosts, and CI automation runners.
  2. Upgrade BOSH CLI to 7.10.5 or later everywhere operators run bosh ssh, bosh scp, or bosh logs -f.
  3. Avoid interactive operations against untrusted Directors until the CLI is upgraded and the Director is verified.
  4. Review operator endpoint telemetry, shell history, SSH config, and temporary files for unexpected command execution.
  5. Rotate BOSH credentials, SSH keys, UAA tokens, and CI secrets that were used from potentially exposed machines.
  6. Limit Director access to trusted management networks and require MFA for operator authentication where possible.
  7. Rebuild or isolate operator workstations if evidence of command execution is found.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm every operator system reports BOSH CLI 7.10.5 or later.
  • Validate SSH, SCP, and logs workflows work without unexpected local command execution.
  • Review endpoint and Director logs for suspicious activity during vulnerable operations.
  • Confirm rotated credentials are active and old tokens no longer work.
  • Run a Fixnx scan and confirm Director management surfaces are not publicly exposed.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-41857?

Cloud Foundry Foundation BOSH CLI versions listed as affected should be reviewed: BOSH CLI versions prior to 7.10.5.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.