Threat Advisory

Cloud Foundry Vulnerability Exposes JWT Signing Keys

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Cloud Foundry's User Account and Authentication (UAA) component, affecting releases v76.12.0 through v78.12.0. The primary issue is an unauthenticated key disclosure that reveals Elliptic Curve private signing keys via the public/token_keys endpoint, enabling token forgery and full authentication bypass. Additional weaknesses include potential denial‑of‑service from resource‑consumption flaws in related services. Exploitation requires only network access to the vulnerable endpoint, with no credentials needed. The business impact ranges from loss of data confidentiality to complete compromise of user accounts and critical services, undermining trust in the platform's identity management.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Cloud Foundry's User Account and Authentication (UAA) component, affecting releases v76.12.0 through v78.12.0. The primary issue is an unauthenticated key disclosure that reveals Elliptic Curve private signing keys via the public/token_keys endpoint, enabling token forgery and full authentication bypass. Additional weaknesses include potential denial‑of‑service from resource‑consumption flaws in related services. Exploitation requires only network access to the vulnerable endpoint, with no credentials needed. The business impact ranges from loss of data confidentiality to complete compromise of user accounts and critical services, undermining trust in the platform's identity management.[emaillocker id="1283"]

  • CVE-2026-40965 with a CVSS score of 10.0 – Unauthenticated actors can retrieve EC private keys from the public/token_keys endpoint, allowing them to forge JWTs and impersonate any user; exploitation requires only network connectivity to the UAA service.
  • CVE-2026-26007 with a CVSS score of 8.2 – A flaw in the Python cryptography library can leak private keys when certain malformed inputs are processed, enabling attackers with local code execution to extract credentials; prerequisite is the presence of the vulnerable library version.
  • CVE-2026-27212 with a CVSS score of 9.4 – A prototype‑pollution issue in the Swiper component permits remote attackers to modify global JavaScript objects, leading to cross‑site scripting and potential data theft; exploitation requires hosting a malicious web page that interacts with the vulnerable library.

Given the unauthenticated nature of the key disclosure, the vulnerability presents an immediate and severe threat to any organization relying on Cloud Foundry for authentication. If exploited, attackers can create valid JWTs, bypass access controls, and gain unrestricted access to critical applications, resulting in data breaches, regulatory penalties, and loss of customer confidence. Prompt executive attention is required to address the exposure before adversaries can weaponize the stolen keys.

RECOMMENDATION:

  • We recommend you to update Cloud Foundry UAA to version v78.13.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/cloud-foundry-key-disclosure-cve-2026-40965/

[/emaillocker]
crossmenu