highCVE-2026-47828

BOSH CLI DAV Blobstore TLS Certificate Verification Bypass Vulnerability

During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint is available in the installation manifest. A network attacker can terminate the TLS connection, harvest the Basic-auth credentials, and read the rendered-templates archive containing every bootstrap secret for the new BOSH Director, then replay the credentials against the real VM's agent for root code execution. Affected versions: bosh-cli versions prior to v7.10.4.

ProductBOSH CLI
CVSS8.9
EPSS0.00088
UpdatedJuly 10, 2026

Quick answer

Cloud Foundry Foundation BOSH CLI should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • bosh-cli versions prior to v7.10.4

Fixed versions

  • v7.10.4

How to fix it

BOSH CLI before v7.10.4 did not properly verify TLS certificates for DAV blobstore transfers during create-env or delete-env workflows. Upgrade the CLI, rotate blobstore and bootstrap secrets, and rerun sensitive deployment actions only from trusted networks.

  1. Identify operators and automation that use BOSH CLI create-env or delete-env with DAV blobstores.
  2. Upgrade BOSH CLI to v7.10.4 or later on all workstations and CI runners.
  3. Rotate DAV blobstore credentials, BOSH deployment manifests secrets, CA material, and bootstrap credentials that could have crossed an untrusted network.
  4. Rerun create-env or delete-env only from trusted networks after the upgraded CLI is verified.
  5. Inspect recent blobstore, proxy, and network logs for unexpected TLS interception or credential reuse.
  6. Pin trusted CA configuration where supported and remove temporary insecure connection workarounds.
  7. Rebuild affected Directors or deployments if deployment templates or secrets may have been intercepted.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm all create-env and delete-env runners use BOSH CLI v7.10.4 or later.
  • Validate DAV blobstore connections fail when presented with an untrusted certificate.
  • Verify rotated DAV, BOSH, and deployment secrets are active and old credentials no longer work.
  • Review network logs for suspicious access to blobstore endpoints during vulnerable deployment windows.
  • Run a Fixnx scan and confirm blobstore and Director endpoints are not exposed publicly.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-47828?

Cloud Foundry Foundation BOSH CLI versions listed as affected should be reviewed: bosh-cli versions prior to v7.10.4.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.