CVE-2026-47829 in bosh-cliinfo

Summary

by MITRE • 07/09/2026

Argument Injection in bosh-cli allows a compromised BOSH Director to inject arbitrary OpenSSH options into the locally-spawned ssh process when an operator runs bosh ssh -c, bosh logs -f, or other non-interactive SSH paths, leading to local command execution on the operator's workstation. Affected versions: bosh-cli versions prior to v7.10.4.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability described represents a critical argument injection flaw in the bosh-cli tool that enables remote code execution through compromised BOSH Director environments. This security weakness specifically affects versions prior to v7.10.4 and exploits the improper handling of user-supplied arguments when executing SSH commands in non-interactive modes. The issue manifests when operators utilize commands such as bosh ssh -c, bosh logs -f, or similar non-interactive SSH pathways that spawn local SSH processes on the operator's workstation.

The technical implementation of this vulnerability stems from insufficient input sanitization and argument validation within the bosh-cli codebase. When operators execute commands that require SSH connections to BOSH-deployed VMs, the tool constructs SSH command arguments by directly incorporating user-provided parameters without proper escaping or validation. This allows an attacker who has compromised the BOSH Director to inject malicious OpenSSH options that get passed through to the locally-executed SSH process on the operator's machine.

The operational impact of this vulnerability extends beyond simple privilege escalation, as it enables arbitrary command execution on the operator's workstation with the privileges of the user running the bosh-cli tool. This creates a significant attack surface where an attacker can potentially exfiltrate sensitive data, establish persistent access, or escalate privileges further within the operator's environment. The vulnerability is particularly concerning in enterprise environments where BOSH operators may have elevated privileges and access to critical infrastructure components.

This flaw aligns with CWE-77 and CWE-88 categories from the Common Weakness Enumeration, specifically addressing command injection vulnerabilities that arise from improper handling of external input in shell commands. From an attack framework perspective, this vulnerability maps to techniques described in the MITRE ATT&CK framework under T1059.001 (Command and Scripting Interpreter) and T1021.004 (SSH). The vulnerability demonstrates a classic path from initial compromise of a BOSH Director through command injection to full system compromise on the operator's workstation.

The recommended mitigation strategy involves upgrading to bosh-cli version 7.10.4 or later, which implements proper argument sanitization and validation mechanisms. Organizations should also consider implementing additional network segmentation controls between BOSH Directors and operator workstations, enforcing strict access controls for BOSH CLI usage, and monitoring for suspicious SSH command patterns in their environments. Security teams should conduct comprehensive vulnerability assessments to identify any instances where older versions might still be in use within their infrastructure.

Additional protective measures include implementing principle of least privilege for BOSH CLI operations, establishing secure coding practices for argument handling, and considering the deployment of automated scanning tools that can detect potentially malicious SSH option injections. Organizations should also review their incident response procedures to ensure readiness for potential exploitation of this vulnerability type, as it represents a sophisticated attack vector that could be used to establish persistent access within critical infrastructure environments.

Responsible

Vmware

Reservation

05/20/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!