HOMEVULNERABILITIESCVE-2026-41009
MEDIUM

CVE-2026-41009

CWE-22Published: May 27, 2026· Updated: May 27, 2026

5.8
CVSS v3.1
EPSS:0.01%probability of exploitation in 30 daysPercentile:1.3th

Official Description

When the director sends a long-running request (e.g. compile_package), the agent's reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response['value']['result']['compile_log_id'] and format_exception (line 318-325) reads exception['blobstore_id']; both pass the agent-supplied string unmodified to download_and_delete_blob(blob_id) (line 344-349), which calls @resource_manager.get_resource(blob_id) and, in an ensure block, @resource_manager.delete_resource(blob_id). Api::ResourceManager forwards the id straight to blobstore.get(id) / blobstore.delete(id). When the director is configured with the local blobstore provider, Blobstore::LocalClient#object_file_path(oid) is File.join(@blobstore_path, oid) (local_client.rb:54-56) with no normalisation, so oid = "../../jobs/director/config/director.yml" resolves outside the blobstore root.

Affected versions:

BOSH Director: All versions prior to v282.1.12

NVD Source

Technical Analysis

CVE-2026-41009 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires high privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in full integrity compromise (data manipulation), with a CVSS base score of 5.8.

The vulnerability has a "Changed" scope, meaning successful exploitation can impact components beyond the vulnerable component itself — such as the host operating system or adjacent services.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityHigh
Privileges Req.High
User InteractionRequired
ScopeChanged
Impact
ConfidentialityNone
IntegrityHigh
AvailabilityLow
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:L

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (1)

Quick Facts

CVE IDCVE-2026-41009
CVSS Score5.8 / 10
SeverityMEDIUM
WeaknessCWE-22
CISA KEVNo
EPSS (30d)0.01%
PublishedMay 27, 2026

Related CVEs (CWE-22)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-41009 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.