CVE-2026-41013
published 2026-06-01CVE-2026-41013: Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary…
PriorityP354high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.24%
14.9th percentile
Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privilege escalation and security control bypass on multi-tenant Diego cells.
Affected versions:
smb-volume-release: All versions prior to v3.60.0
CF Deployment: All versions prior to v56.0.0
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cloudfoundry_foundation | cf_deployment | < 56.0.0 | 56.0.0 |
| cloudfoundry_foundation | smb-volume-release | < 3.60.0 | 3.60.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the m
ghsa_unreviewed·2026-06-01
CVE-2026-41013 [HIGH] CWE-88 Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the m
Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privilege escalation and security control bypass on multi-tenant Diego cells.
Affected versions:
smb-volume-release: All versions prior to v3.60.0
CF Deployment: All versions prior to v56.0.0
VulDB
CloudFoundry smb-volume-release/CF Deployment SMB Volume Mount Hander argument injection (EUVD-2026-33727)
vuldb·2026-06-01·CVSS 8.1
CVE-2026-41013 [HIGH] CloudFoundry smb-volume-release/CF Deployment SMB Volume Mount Hander argument injection (EUVD-2026-33727)
A vulnerability was found in CloudFoundry smb-volume-release and CF Deployment. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component SMB Volume Mount Hander. Such manipulation leads to argument injection.
This vulnerability is referenced as CVE-2026-41013. It is possible to launch the attack remotely. No exploit is available.
It is recommended to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-01
Published