criticalCVE-2026-47840

Cloud Foundry UAA LDAP StartTLS Hostname Verification Bypass Vulnerability

A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user password sent during simple-bind authentication, and return forged group memberships that grant themselves admin scopes. This affects every deployment that authenticates users against LDAP over StartTLS. Affected versions: UAA versions prior to v78.13.0; Cf-deployment versions prior to v56.2.0.

ProductUAA
CVSS9.3
EPSS0.00132
UpdatedJuly 10, 2026

Quick answer

Cloud Foundry UAA should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • UAA versions prior to v78.13.0
  • cf-deployment versions prior to v56.2.0

Fixed versions

  • UAA v78.13.0
  • cf-deployment v56.2.0

How to fix it

Cloud Foundry UAA is affected by CVE-2026-47840. LDAP StartTLS hostname verification can be bypassed, allowing a network attacker to harvest bind and user passwords and forge group memberships. Upgrade UAA before v78.13.0 and cf-deployment before v56.2.0 to UAA v78.13.0 and cf-deployment v56.2.0, then rotate LDAP and UAA credentials that may have crossed the vulnerable StartTLS channel.

  1. Inventory UAA deployments that authenticate users against LDAP over StartTLS.
  2. Upgrade UAA to v78.13.0 or later and cf-deployment to v56.2.0 or later.
  3. Verify LDAP hostname verification and trust configuration after the update.
  4. Rotate LDAP bind passwords and UAA secrets if network interception may have occurred.
  5. Review UAA group mappings, admin scopes, and recent LDAP-authenticated sessions for suspicious elevation.
  6. Restrict network paths between UAA and LDAP to trusted segments while remediation is underway.
  7. Restart UAA components and verify all instances are running the patched build.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm UAA reports v78.13.0 or later and cf-deployment reports v56.2.0 or later.
  • Test LDAP StartTLS with a certificate for the wrong hostname in staging and confirm validation fails.
  • Confirm legitimate LDAP authentication and group mapping still work after remediation.
  • Review audit logs for unexpected admin scopes or group membership changes during the exposure window.
  • Run a Fixnx scan and verify no public UAA or identity endpoint is unintentionally exposed.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-47840?

Cloud Foundry UAA versions listed as affected should be reviewed: UAA versions prior to v78.13.0, cf-deployment versions prior to v56.2.0.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.