A compromised or malicious BOSH Director can execute arbitrary shell commands on the operator's workstation when the operator runs bosh ssh (or bosh scp/bosh logs -f) with default flags. Affected versions: BOSH CLI versions prior to 7.10.5.
History

Fri, 10 Jul 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Fri, 10 Jul 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Cloudfoundry
Cloudfoundry bosh Cli
Vendors & Products Cloudfoundry
Cloudfoundry bosh Cli

Thu, 09 Jul 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Thu, 09 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 05:30:00 +0000

Type Values Removed Values Added
Description A compromised or malicious BOSH Director can execute arbitrary shell commands on the operator's workstation when the operator runs bosh ssh (or bosh scp/bosh logs -f) with default flags. Affected versions: BOSH CLI versions prior to 7.10.5.
Title BOSH CLI Shell Injection
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-07-09T04:31:33.568Z

Updated: 2026-07-09T14:12:24.049Z

Reserved: 2026-04-22T06:22:10.081Z

Link: CVE-2026-41857

cve-icon Vulnrichment

Updated: 2026-07-09T14:11:44.307Z

cve-icon NVD

No data.

cve-icon Redhat

No data.