CVE-2026-41704 Compromised VM can make arbitrary blobstore deletes

AgentClienthandlemethod lines 264-303 processes every NATS reply. It calls injectcompilelog line 273 on every response, which reads response'value''result''compilelogid' line 332-338 and passes it to downloadanddeleteblob. Separately, any response containing 'exception' goes through formatexcepti...

CVE-2026-41009 Local Blobstore may allow arbitrary reads/deletes

When the director sends a long-running request e.g. compilepackage, the agent's reply JSON is consumed by AgentClient. injectcompilelog line 332-339 reads response'value''result''compilelogid' and formatexception line 318-325 reads exception'blobstoreid'; both pass the agent-supplied string...

CVE-2026-41009

CVE-2026-41009 affects BOSH Director: all versions prior to v282.1.12. The vulnerability arises when the director uses a local blobstore; Blobstore::LocalClient#object_file_path joins the blobstore path with the provided oid without normalisation, enabling path traversal (e.g., oid = "../../jobs/...

CVE-2026-41009 Local Blobstore may allow arbitrary reads/deletes

When the director sends a long-running request e.g. compilepackage, the agent's reply JSON is consumed by AgentClient. injectcompilelog line 332-339 reads response'value''result''compilelogid' and formatexception line 318-325 reads exception'blobstoreid'; both pass the agent-supplied string...