Affected versions: UAA versions prior to v78.13.0; Cf-deployment versions prior to v56.2.0.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Thu, 09 Jul 2026 08:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Cloudfoundry
Cloudfoundry cf-deployment Cloudfoundry uaa |
|
| Vendors & Products |
Cloudfoundry
Cloudfoundry cf-deployment Cloudfoundry uaa |
Thu, 09 Jul 2026 07:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user password sent during simple-bind authentication, and return forged group memberships that grant themselves admin scopes. This affects every deployment that authenticates users against LDAP over StartTLS. Affected versions: UAA versions prior to v78.13.0; Cf-deployment versions prior to v56.2.0. | |
| Title | LDAP StartTLS unconditionally disables hostname verification | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: vmware
Published:
Updated: 2026-07-09T06:26:02.169Z
Reserved: 2026-05-20T10:00:51.003Z
Link: CVE-2026-47840
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-09T08:30:03Z
No weakness.