216.73.216.226

CVE-2026-40964

· Published 01/06/2026 22:16 · Modified 02/06/2026 14:01

Labels: CVE-2026-40964 2026-06-01CVE-2026-40964CWE-287[email protected]

Essential information

Published
01/06/2026 22:16
Modified
02/06/2026 14:01
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS metrics

Description

Authentication Bypass in cf-auth-proxy in Cloud Foundry Foundation all installations allows an unauthenticated remote attacker to gain read access to every log and metric for every application and platform component via minting a JWT that the cf-auth-proxy accepts as a valid logs.admin token. Affected versions: - log-cache_release: all versions through v3.2.6 (inclusive); fixed in v3.2.7 or later - CF Deployment: all versions through v55.?.0 (inclusive); fixed in v55.?.0 or later (bundles log-cache_release v3.2.7)

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
cloud foundry / log-cache release cpe:2.3:a:cloud_foundry:log-cache_release:<3.2.6:*:*:*:*:*:*
cloud foundry / log-cache release cpe:2.3:a:cloud_foundry:log-cache_release:3.2.7:*:*:*:*:*:*
cloud foundry / cf-auth-proxy cpe:2.3:a:cloud_foundry:cf-auth-proxy:*:*:*:*:*:*:*:*
cloud foundry / cf deployment cpe:2.3:a:cloud_foundry:cf_deployment:<55.?.0:*:*:*:*:*:*

References