Cloud Foundry UAA LDAP StartTLS Hostname Verification Bypass Vulnerability
A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user password sent during simple-bind authentication, and return forged group memberships that grant themselves admin scopes. This affects every deployment that authenticates users against LDAP over StartTLS. Affected versions: UAA versions prior to v78.13.0; Cf-deployment versions prior to v56.2.0.
Quick answer
Cloud Foundry UAA should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- UAA versions prior to v78.13.0
- cf-deployment versions prior to v56.2.0
Fixed versions
- UAA v78.13.0
- cf-deployment v56.2.0
How to fix it
Cloud Foundry UAA is affected by CVE-2026-47840. LDAP StartTLS hostname verification can be bypassed, allowing a network attacker to harvest bind and user passwords and forge group memberships. Upgrade UAA before v78.13.0 and cf-deployment before v56.2.0 to UAA v78.13.0 and cf-deployment v56.2.0, then rotate LDAP and UAA credentials that may have crossed the vulnerable StartTLS channel.
- Inventory UAA deployments that authenticate users against LDAP over StartTLS.
- Upgrade UAA to v78.13.0 or later and cf-deployment to v56.2.0 or later.
- Verify LDAP hostname verification and trust configuration after the update.
- Rotate LDAP bind passwords and UAA secrets if network interception may have occurred.
- Review UAA group mappings, admin scopes, and recent LDAP-authenticated sessions for suspicious elevation.
- Restrict network paths between UAA and LDAP to trusted segments while remediation is underway.
- Restart UAA components and verify all instances are running the patched build.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm UAA reports v78.13.0 or later and cf-deployment reports v56.2.0 or later.
- Test LDAP StartTLS with a certificate for the wrong hostname in staging and confirm validation fails.
- Confirm legitimate LDAP authentication and group mapping still work after remediation.
- Review audit logs for unexpected admin scopes or group membership changes during the exposure window.
- Run a Fixnx scan and verify no public UAA or identity endpoint is unintentionally exposed.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-47840?
Cloud Foundry UAA versions listed as affected should be reviewed: UAA versions prior to v78.13.0, cf-deployment versions prior to v56.2.0.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
