CRITICAL🇵🇱 Wersja polska

CVE-2026-40965

CVSS 10.0v4.0pub. 2026-06-01upd. 2026-06-02

Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC (Elliptic Curve) private keys are inadvertently exposed through the public /token_keys endpoint. This endpoint is designed to provide public key material for JWT token verification but incorrectly exposes private key components for EC keys. The vulnerability affects deployments using EC keys for JWT token signing. The vulnerability does not affect RSA key configurations, only deployments using EC keys for JWT signing. Affected versions: - uaa_release: v76.12.0 through v78.12.0 (inclusive); fixed in v78.13.0 or later - CF Deployment: v30.0.0 through v56.0.0 (inclusive); fixed in v56.1.0 or later (bundles uaa_release v78.13.0)

🤖 AI Analysis
How it works

The /token_keys endpoint is designed solely to provide public key material for JWT token verification. However, an implementation error causes the server to return not only the public part but also private key components for EC type keys. Any user with network access to the UAA instance can send an HTTP request to this endpoint without any authentication and receive the private key. The vulnerability affects only configurations using EC keys for JWT signing — configurations based on RSA keys are not exposed.

Impact

An attacker who obtains the EC private key can independently generate and sign arbitrary JWT tokens, impersonating any user or gaining unauthorized access to resources protected by Cloud Foundry. As a result, complete takeover of the environment is possible as well as compromise of dependent systems (so-called subscriber systems).

Mitigation & patch

Update uaa_release to version v78.13.0 or later. If using CF Deployment, update to version v56.1.0 or later (contains uaa_release v78.13.0). After updating, it is recommended to rotate all EC keys used for JWT signing, as private keys may have been previously disclosed, and invalidate JWT tokens issued before the fix.

Who is affected

Cloud Foundry UAA in versions v76.12.0 through v78.12.0 (inclusive) and CF Deployment in versions v30.0.0 through v56.0.0 (inclusive) — only deployments using EC (Elliptic Curve) keys for JWT signing. Deployments based on RSA keys are not vulnerable.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References