CVE-2026-40964 Overview
CVE-2026-40964 is an authentication bypass vulnerability in the cf-auth-proxy component of Cloud Foundry Foundation. An unauthenticated remote attacker can mint a JSON Web Token (JWT) that cf-auth-proxy accepts as a valid logs.admin token. The flaw grants read access to every log and metric for every application and platform component across all installations. The issue is tracked under CWE-287: Improper Authentication and affects log-cache_release through v3.2.6 and all CF Deployment versions bundling it.
Critical Impact
Unauthenticated network attackers can read all application and platform logs and metrics across a Cloud Foundry foundation by forging a JWT accepted as a logs.admin token.
Affected Products
- Cloud Foundry log-cache_release — all versions through v3.2.6 (fixed in v3.2.7)
- Cloud Foundry cf-deployment bundling log-cache_release ≤ v3.2.6
- Cloud Foundry cf-auth-proxy component
Discovery Timeline
- 2026-06-01 - CVE-2026-40964 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-40964
Vulnerability Analysis
The cf-auth-proxy component fronts the Cloud Foundry log-cache service and is responsible for validating bearer tokens before forwarding requests to backend log and metric stores. The proxy accepts forged JWTs as legitimate logs.admin tokens. Because logs.admin confers read access to every application and platform-component log and metric stream, a successful bypass exposes the full observability surface of the foundation.
The vulnerability is exploitable over the network without prior authentication or user interaction. Exploitation impacts confidentiality only; integrity and availability of the platform are not directly affected. Logs and metrics in Cloud Foundry frequently contain sensitive runtime data, request URLs, environment context, error stack traces, and operational telemetry that supports follow-on attacks.
Root Cause
The root cause is improper JWT validation inside cf-auth-proxy. The proxy does not adequately verify the cryptographic signature, issuer, or claims of inbound tokens before treating them as authoritative. As a result, a token minted outside the trusted Cloud Foundry User Account and Authentication (UAA) service can be presented and accepted with the logs.admin scope. See the Cloud Foundry advisory for the upstream fix description.
Attack Vector
An attacker reachable to the log-cache endpoint crafts a JWT containing the logs.admin scope and submits it as a bearer token to the cf-auth-proxy HTTP interface. The proxy validates the token incorrectly and routes the request to log-cache. The attacker then issues read queries against log and metric APIs for any application GUID or platform component, exfiltrating the data through normal API responses.
The vulnerability cannot be demonstrated with verified public code. Refer to the Cloud Foundry blog post for technical details.
Detection Methods for CVE-2026-40964
Indicators of Compromise
- Requests to log-cache endpoints (/api/v1/read, /api/v1/meta, /api/v1/info) carrying bearer tokens that do not correspond to UAA-issued sessions for known operators or service accounts.
- JWTs presented to cf-auth-proxy whose iss claim, kid, or signing key does not match the foundation's UAA configuration.
- Spikes in log-cache read volume or queries enumerating application GUIDs across multiple orgs and spaces from a single source IP.
Detection Strategies
- Parse cf-auth-proxy and gorouter access logs for logs.admin-scoped requests and correlate token subjects against authorized UAA principals.
- Alert on log-cache API responses returning data for application GUIDs that the requesting identity has no role binding to in Cloud Controller.
- Hunt for unusual User-Agent strings, non-CLI client fingerprints, or off-hours administrative log queries against log-cache.<system-domain>.
Monitoring Recommendations
- Centralize cf-auth-proxy, UAA, and gorouter logs in a SIEM such as Singularity Data Lake and apply OCSF-normalized detections for anomalous bearer-token issuers.
- Track per-source-IP request rates to log-cache and baseline normal operator behavior to surface scraping activity.
- Enable platform audit logging for Cloud Controller role lookups and cross-reference with log-cache read events.
How to Mitigate CVE-2026-40964
Immediate Actions Required
- Upgrade log-cache_release to v3.2.7 or later on every Cloud Foundry foundation.
- Update cf-deployment to the release that bundles log-cache_release v3.2.7 or later.
- Rotate UAA signing keys and revoke any tokens that may have been issued or accepted during the exposure window.
- Review log-cache access records for evidence of unauthorized reads since the component was deployed.
Patch Information
The Cloud Foundry Foundation has released log-cache_release v3.2.7, which corrects the JWT validation logic in cf-auth-proxy. Operators running BOSH-managed foundations should redeploy with the updated release reference. Full remediation details are available in the Cloud Foundry advisory.
Workarounds
- Restrict network reachability to the log-cache and cf-auth-proxy endpoints to trusted operator networks using firewall or security group rules until patching completes.
- Place an additional reverse proxy in front of cf-auth-proxy that enforces mutual TLS or IP allow-listing for log-cache API consumers.
- Disable or de-scope unused logs.admin client grants in UAA to reduce the value of a forged token.
# Pin log-cache_release to the patched version in your cf-deployment ops file
bosh -d cf deploy cf-deployment.yml \
--ops-file operations/use-compiled-releases.yml \
-v log-cache_version=3.2.7
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
