10
/ 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
Description
Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC (Elliptic Curve) private keys are inadvertently exposed through the public /token_keys endpoint. This endpoint is designed to provide public key material for JWT token verification but incorrectly exposes private key components for EC keys. The vulnerability affects deployments using EC keys for JWT token signing. The vulnerability does not affect RSA key configurations, only deployments using EC keys for JWT signing.
Affected versions:
- uaa_release: v76.12.0 through v78.12.0 (inclusive); fixed in v78.13.0 or later
- CF Deployment: v30.0.0 through v56.0.0 (inclusive); fixed in v56.1.0 or later (bundles uaa_release v78.13.0)
Affected versions:
- uaa_release: v76.12.0 through v78.12.0 (inclusive); fixed in v78.13.0 or later
- CF Deployment: v30.0.0 through v56.0.0 (inclusive); fixed in v56.1.0 or later (bundles uaa_release v78.13.0)
AI Analysis
Private key exposure vulnerability in Cloud Foundry UAA
Basic Information
ID
CVE-2026-40965
Source
vmware
Published
Jun 1, 2026 at 21:22
Affected Product
Vendor
Cloud Foundry Foundation
Product
uaa_release
Version
76.12.0
Affected Versions
Cloud Foundry Foundation uaa_release 76.12.0
Cloud Foundry Foundation CF Deployment 30.0.0
Cloud Foundry Foundation CF Deployment 30.0.0
CWE Classification
AI Assessment
AI Score
10 / 10
AI Severity
Critical
Vendor
Cloud Foundry Foundation
Product
Cloud Foundry UAA
Version
v76.12.0 through v78.12.0