CVE-2026-41860
Severity CVSS v4.0:
HIGH
Type:
CWE-326
Inadequate Encryption Strength
Publication date:
04/06/2026
Last modified:
04/06/2026
Description
CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA and steal credentials.<br />
<br />
Affected versions:<br />
- BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later
Impact
Base Score 4.0
7.10
Severity 4.0
HIGH
Base Score 3.x
8.80
Severity 3.x
HIGH



