highCVE-2026-47826

BOSH CLI blobs.yml Path Traversal Vulnerability

The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information. Affected versions: BOSH CLI tool versions prior to v7.10.4.

ProductBOSH CLI
CVSS8.5
EPSS0.00331
UpdatedJuly 10, 2026

Quick answer

Cloud Foundry Foundation BOSH CLI should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • BOSH CLI tool versions prior to v7.10.4

Fixed versions

  • v7.10.4

How to fix it

BOSH CLI before v7.10.4 allowed path traversal through blobs.yml path keys, which could write or disclose unintended files during release operations. Upgrade the CLI and review release repositories and build hosts for malicious blob paths.

  1. Inventory BOSH release build systems and operator machines that process blobs.yml files.
  2. Upgrade BOSH CLI to v7.10.4 or later everywhere release create, upload, or blob commands run.
  3. Review release repositories for blobs.yml entries containing absolute paths, dot-dot traversal, or unexpected file targets.
  4. Run release operations from clean worktrees and least-privilege build accounts.
  5. Remove or quarantine untrusted release repositories until blob paths are reviewed.
  6. Audit build host filesystem changes and shell logs for unexpected reads or writes during vulnerable BOSH CLI runs.
  7. Rotate credentials stored on affected workstations if sensitive local files may have been read.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm every release build environment uses BOSH CLI v7.10.4 or later.
  • Validate malicious blobs.yml path traversal entries are rejected or normalized safely.
  • Confirm release repositories no longer contain suspicious blob path keys.
  • Review file integrity and audit logs on build hosts used before the upgrade.
  • Run a Fixnx scan and confirm release or blobstore services are not publicly exposed.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-47826?

Cloud Foundry Foundation BOSH CLI versions listed as affected should be reviewed: BOSH CLI tool versions prior to v7.10.4.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.