CVE-2026-41010 - BOSH Director release job command injection
BOSH Director versions before v282.1.12 can interpolate a job name from an
uploaded BOSH release manifest into a shell command while unpacking release
jobs. An authenticated actor with release-upload authority can craft a release
whose release.MF job name contains shell metacharacters, causing command
execution on the Director VM during the asynchronous release update flow.
This is a platform-control-plane issue. The attacker already needs a privileged BOSH scope such as release upload, but successful exploitation can execute with the Director process authority and can affect platform credentials, release state, deployment manifests, and downstream runtime integrity.
When to use it
- A repository deploys, pins, renders, or documents BOSH Director,
bosh-deployment, platform automation, Concourse/GitHub release-upload jobs, or generated Director manifests. - Release upload is available to automation, tenants, PR-driven jobs, mirrored release pipelines, or broad platform roles.
- BOSH Director references may resolve below
v282.1.12, or release-upload authority is broader than a small trusted operator group. - You need a bounded PR or triage note that upgrades Director, narrows release upload, and documents audit/credential follow-up.
Inputs
bosh-deploymentpins, ops files, deployment locks, rendered manifests, Concourse/GitHub workflows, Terraform/platform automation, CredHub/UAA bootstraps, SBOMs, generated evidence, and runbooks.- Director version, release-upload scripts, release source provenance,
bosh.releases.uploadidentities, cloud/CredHub/UAA credential boundaries, audit logs, and rollout owners. - Available manifest rendering, policy checks, workflow lint, deployment dry-runs, SBOM, and dependency/security scans.
Affected versions
- Vulnerable: BOSH Director
< v282.1.12 - Fixed: BOSH Director
v282.1.12+ - Affected operation: uploading and unpacking BOSH releases
- Required attacker capability:
bosh.releases.upload,bosh.<env>.releases.upload, or broader admin-equivalent authority
Indicator-of-exposure
- The repository pins, vendors, deploys, or documents BOSH Director before
v282.1.12, includingbosh-deployment, ops files, Concourse tasks, Terraform, CredHub/UAAC bootstraps, platform automation, or generated deployment manifests. - Release upload is available to users, automation, tenants, platform teams, or CI credentials that are not limited to a small set of highly trusted platform operators.
- Automation uploads releases from pull requests, build artifacts, external buckets, vendor drops, mirrored repositories, or agent-generated packages.
- The Director VM can access cloud credentials, CredHub, UAA clients, deployment state, stemcell or release storage, or internal platform networks.
Quick checks:
rg -n "bosh-deployment|bosh-director|BOSH Director|director.yml|bosh.yml|v282\\.|releases\\.upload|bosh\\.releases\\.upload|upload release|bosh upload-release|Jobs::UpdateRelease|ReleaseJob" .
rg -n "bosh upload-release|upload-release|releases upload|release tarball|release.MF" .github ci concourse deploy ops terraform scripts 2>/dev/null
Windows:
rg -n "bosh-deployment|bosh-director|BOSH Director|director.yml|bosh.yml|v282\\.|releases\\.upload|bosh\\.releases\\.upload|upload release|bosh upload-release|Jobs::UpdateRelease|ReleaseJob" .
rg -n "bosh upload-release|upload-release|releases upload|release tarball|release.MF" .github ci concourse deploy ops terraform scripts
Do not upload crafted releases, place shell metacharacters in release names, or run proof-of-concept release tarballs during triage.
Remediation strategy
- Upgrade every repository-controlled BOSH Director deployment reference to
v282.1.12+. - Refresh rendered manifests, lockfiles, pinned releases, image or VM metadata, platform automation docs, SBOMs, and generated evidence that name the Director version.
- Restrict release-upload scopes to highly trusted operators and narrowly scoped automation. Remove release-upload capability from general developer, tenant, PR, and shared CI identities.
- Require release provenance for automated uploads: signed source, known bucket, expected SHA, and approval before the Director receives the tarball.
- Add a policy or CI check where this repo owns BOSH configuration so rendered
Director versions below
v282.1.12fail review. - Review BOSH audit logs and release upload history for unexpected uploads, unusual release names, or automation credentials used outside normal windows.
The prompt
You are remediating CVE-2026-41010, a BOSH Director command-injection issue in
release job unpacking. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades all repository-controlled
BOSH Director deployment references to v282.1.12 or later, restricts release
upload authority, adds safe policy checks, refreshes generated artifacts, and
documents operator audit work, or
- TRIAGE.md if this repository does not control an affected BOSH Director
deployment, platform automation path, release-upload job, or rendered
manifest.
## Rules
- Scope only CVE-2026-41010 and directly related BOSH release-upload controls.
- Treat BOSH credentials, UAA clients, CredHub values, cloud credentials,
deployment manifests, release blobs, audit logs, and release tarballs as
sensitive.
- Do not create or upload malicious BOSH releases, use shell metacharacter job
names, run proof-of-concept tarballs, or execute probes on a live Director.
- Do not remove release signing, release verification, audit logging, or
approval gates to make the finding disappear.
- Do not auto-merge.
## Steps
1. Inventory every BOSH Director reference controlled by this repository:
`bosh-deployment` pins, ops files, deployment manifests, Concourse tasks,
GitHub Actions, Terraform, platform automation, CredHub/UAA bootstraps,
release upload scripts, generated manifests, docs, SBOMs, and dependency
reports.
2. Determine every resolved BOSH Director version. A target is vulnerable if it
resolves below `v282.1.12`.
3. Search for release upload paths: `bosh upload-release`, upload-release
scripts, Concourse resources, vendored release tarballs, external release
buckets, PR-driven release builds, mirror jobs, `release.MF` handling, and
automation credentials with release-upload scope.
4. Search authorization data and docs for identities with
`bosh.releases.upload`, `bosh.<env>.releases.upload`, `bosh.admin`, or
broad platform-admin roles. Record identity names or role names only; never
print secret values.
5. If this repository does not deploy BOSH Director or upload releases, stop
with `TRIAGE.md` listing checked files, the owning platform team, and the
required fixed Director version.
6. Upgrade every controlled BOSH Director reference to `v282.1.12+`. Refresh
rendered manifests, deployment locks, release pins, checksums, generated
docs, image or VM metadata, SBOMs, and platform evidence.
7. Add a non-exploit policy check where practical:
- parse rendered Director version or release pin;
- fail closed below `v282.1.12`;
- emit a non-secret remediation message;
- run before deployment or release-upload jobs.
8. Reduce release-upload blast radius:
- remove release-upload from general developer, tenant, and shared CI roles;
- require explicit approval for release upload automation;
- pin release sources and verify expected SHA or signature before upload;
- isolate release upload jobs from credentials that can mutate unrelated
platform state.
9. Add regression coverage that does not execute attacker input:
- rendered BOSH Director version is `v282.1.12+`;
- release-upload jobs cannot run from untrusted PR contexts;
- release-upload credentials are scoped to release upload only where
possible;
- release source allow-lists, signatures, or checksums are enforced;
- logs and validation output omit CredHub, UAA, cloud, and BOSH secrets.
10. Add a PR body section named `CVE-2026-41010 operator actions` that states:
- BOSH Director versions before and after;
- every Director deployment target changed or triaged;
- which jobs can upload releases after the patch;
- which identities had release-upload scope before the change;
- which audit logs, release upload history, and unexpected release names
operators should review;
- whether any BOSH, CredHub, UAA, cloud, or automation credentials require
rotation.
11. Run available validation: manifest rendering, platform automation tests,
policy checks, Concourse or workflow lint, deployment dry-run, SBOM refresh,
dependency/security scans, and non-secret smoke checks.
12. Use PR title:
`fix(sec): remediate CVE-2026-41010 in BOSH Director`.
## Stop conditions
- No BOSH Director deployment, release-upload automation, rendered manifest, or
release pin is controlled by this repository.
- The Director is owned by another platform team or vendor; name the owner and
required version in `TRIAGE.md`.
- Upgrading the Director requires a broader platform migration or maintenance
window the agent cannot schedule.
- Validating exposure would require uploading crafted releases, executing shell
metacharacter payloads, or inspecting production secrets.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Verification - what the reviewer looks for
- No repository-controlled BOSH Director deployment target resolves below
v282.1.12. - Rendered manifests, release pins, generated docs, SBOMs, and platform evidence agree on the fixed Director version.
- Release-upload authority is limited to trusted operators and tightly scoped automation.
- Automated upload paths verify release provenance before
bosh upload-release. - The PR includes operator audit guidance without printing credentials, release blob contents, or production audit-log data.
Output contract
- Reviewer-ready PR upgrading all controlled BOSH Director references to
v282.1.12+with refreshed rendered manifests, pins, checksums, SBOMs, generated docs, and platform evidence. - Policy checks that fail rendered Director versions below
v282.1.12and prevent release-upload from untrusted PR or broad shared CI contexts. - Operator notes for release-upload scope review, release provenance, audit log review, unexpected release names, and BOSH/CredHub/UAA/cloud credential rotation when warranted.
TRIAGE.mdwhen Director runtime, platform automation, release-upload jobs, or audit/rotation ownership is outside this repository.
Watch for
- Updating a docs version while generated manifests, Concourse tasks, or deployment locks still pin the vulnerable Director.
- Assuming release upload is safe because it is authenticated; this CVE starts from a privileged but plausible platform role.
- PR or fork workflows that can build and upload release tarballs with platform credentials.
- Release-upload jobs that also hold broad CredHub, UAA, cloud, or BOSH admin credentials.
- Audit logs that reveal secrets or tenant details when attached to the PR.
Related recipes
- CVE-2026-40903 goshs ArtiPACKED GitHub token leakage
- Critical infrastructure secure context
- Source code supply-chain build integrity audit