CVE-2026-41013

Published: Jun 1, 2026

Modified: Jun 4, 2026

PUBLISHED

Description

Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privilege escalation and security control bypass on multi-tenant Diego cells. Affected versions: smb-volume-release: All versions prior to v3.60.0 CF Deployment: All versions prior to v56.0.0

Vendor	Product	Versions
CloudFoundry Foundation	smb-volume-release	affected `0 - < 3.60.0`
CloudFoundry Foundation	CF Deployment	affected `0 - < 56.0.0`

Weaknesses (CWE)

CWE-88

References

https://www.cloudfoundry.org/blog/cve-2026-41013-tenant-controlled-comma-smuggles-arbitrary-cifs-mount-options/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-41013

Description

Affected Products

Weaknesses (CWE)

References