CVE-2026-47840 PUBLISHED

LDAP StartTLS unconditionally disables hostname verification

Assigner: vmware
Reserved: 20.05.2026 Published: 09.07.2026 Updated: 09.07.2026

A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user password sent during simple-bind authentication, and return forged group memberships that grant themselves admin scopes. This affects every deployment that authenticates users against LDAP over StartTLS. Affected versions: UAA versions prior to v78.13.0; Cf-deployment versions prior to v56.2.0.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.3

Product Status

Vendor CloudFoundry Foundation
Product UAA
Versions Default: unaffected
  • affected from 0 to 78.13.0 (excl.)
Vendor CloudFoundry Foundation
Product Cf-deployment
Versions Default: unaffected
  • affected from 0 to 56.2.0 (excl.)

References

Problem Types

  • CWE-297 Improper Validation of Certificate with Host Mismatch CWE

Impacts

  • LDAP directory impersonation via man-in-the-middle, leading to credential harvesting and forged group memberships granting admin scopes.