Cloudfoundry

By the Year

In 2026 there have been 1 vulnerability in Cloudfoundry with an average score of 7.5 out of ten. Last year, in 2025 Cloudfoundry had 1 security vulnerability published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Cloudfoundry in 2026 could surpass last years number. Interestingly, the average vulnerability score and the number of vulnerabilities for 2026 and last year was the same.

Recent Cloudfoundry Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-22727	Mar 17, 2026	CVE-2026-22727: Unprotected Int Endpts in CF CAPI <=1.226 (CF Deploy <=54.9) Unprotected internal endpoints in Cloud Foundry Capi Release 1.226.0 and below, and CF Deployment v54.9.0 and below on all platforms allows any user who has bypassed the firewall to potentially replace droplets and therefore applications allowing them to access secure application information.
CVE-2025-22246	May 13, 2025	CF UAA v7.21.0-v7.31.0 Key Exposure in Logs Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure in logs.	Cf Deployment Uaa Release
CVE-2024-38826	Nov 11, 2024	Cloud Foundry Cloud Controller v1.194.0 - Arbitrary File Upload and Resource Leak Vulnerability Authenticated users can upload specifically crafted files to leak server resources. This behavior can potentially be used to run a denial of service attack against Cloud Controller. The Cloud Foundry project recommends upgrading the following releases: * Upgrade capi release version to 1.194.0 or greater * Upgrade cf-deployment version to v44.1.0 or greater. This includes a patched capi release	Cloud Controller
CVE-2024-22279	Jun 10, 2024	CF Routing Release CVE-2024-22279: DoS via Improper Req Handling v0.274-0.297 Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at scale.	Routing Release Cf Deployment
CVE-2023-34041	Sep 08, 2023	Hop-by-Hop Header Abuse in CF Routing <0.278.0 Cloud foundry routing release versions prior to 0.278.0 are vulnerable to abuse of HTTP Hop-by-Hop Headers. An unauthenticated attacker can use this vulnerability for headers like B3 or X-B3-SpanID to affect the identification value recorded in the logs in foundations.	Routing Release Cf Deployment
CVE-2023-20882	May 26, 2023	Denial of Service in Cloud Foundry Gorouter 0.262.0-0.266.0 In Cloud foundry routing release versions from 0.262.0 and prior to 0.266.0,a bug in the gorouter process can lead to a denial of service of applications hosted on Cloud Foundry. Under the right circumstances, when client connections are closed prematurely, gorouter marks the currently selected backend as failed and removes it from the routing pool.	Routing Release Cf Deployment
CVE-2023-20881	May 19, 2023	Cloud Foundry CAPI 1.140-1.152.0 & lg-agent v7+ syslog drain credential override Cloud foundry instances having CAPI version between 1.140 and 1.152.0 along with loggregator-agent v7+ may override other users syslog drain credentials if they're aware of the client certificate used for that syslog drain. This applies even if the drain has zero certs. This would allow the user to override the private key and add or modify a certificate authority used for the connection.	Cf Deployment Capi Release Loggregator Agent And others...
CVE-2023-20903	Mar 28, 2023	Cloud Foundry UAA Refresh Token Abuse via Deactivated External IdP (CVE-2023-20903) This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).	User Account Authentication
CVE-2022-31733	Feb 03, 2023	Diego 2.55-2.69 mTLS Ingress Bypass via Unproxied Port Starting with diego-release 2.55.0 and up to 2.69.0, and starting with CF Deployment 17.1 and up to 23.2.0, apps are accessible via another port on diego cells, allowing application ingress without a client certificate. If mTLS route integrity is enabled AND unproxied ports are turned off, then an attacker could connect to an application that should be only reachable via mTLS, without presenting a client certificate.	Diego Cf Deployment
CVE-2018-25046	Dec 27, 2022	ZipArchive Path Traversal in PHP via Improper Path Sanitization Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.	Archiver
CVE-2021-22100	Mar 25, 2022	In cloud foundry CAPI versions prior to 1.122, a denial-of-service attack in which a developer can push a service broker In cloud foundry CAPI versions prior to 1.122, a denial-of-service attack in which a developer can push a service broker that (accidentally or maliciously) causes CC instances to timeout and fail is possible. An attacker can leverage this vulnerability to cause an inability for anyone to push or manage apps.	Capi Release Cf Deployment
CVE-2021-22101	Oct 27, 2021	Cloud Controller versions prior to 1.118.0 are vulnerable to unauthenticated denial of Service(DoS) vulnerability Cloud Controller versions prior to 1.118.0 are vulnerable to unauthenticated denial of Service(DoS) vulnerability allowing unauthenticated attackers to cause denial of service by using REST HTTP requests with label_selectors on multiple V3 endpoints by generating an enormous SQL query.	Capi Release Cf Deployment
CVE-2021-22098	Aug 11, 2021	UAA server versions prior to 75.4.0 are vulnerable to an open redirect vulnerability UAA server versions prior to 75.4.0 are vulnerable to an open redirect vulnerability. A malicious user can exploit the open redirect vulnerability by social engineering leading to take over of victims accounts in certain cases along with redirection of UAA users to a malicious sites.	Cf Deployment User Account Authentication
CVE-2021-22001	Jul 22, 2021	In UAA versions prior to 75.3.0 In UAA versions prior to 75.3.0, sensitive information like relaying secret of the provider was revealed in response when deletion request of an identity provider( IdP) of type oauth 1.0 was sent to UAA server.	Cf Deployment User Account Authentication
CVE-2021-22115	Apr 08, 2021	Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed. CAPI database logs service broker password in plain text whenever a job to clean up orphaned items is run by Cloud Controller.	Capi Release Cf Deployment
CVE-2020-5423	Dec 02, 2020	CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.	Capi Release Cf Deployment
CVE-2020-5422	Oct 02, 2020	BOSH System Metrics Server releases prior to 0.1.0 exposed the UAA password as a flag to a process running on the BOSH director BOSH System Metrics Server releases prior to 0.1.0 exposed the UAA password as a flag to a process running on the BOSH director. It exposed the password to any user or process with access to the same VM (through ps or looking at process details).	Bosh System Metrics Server
CVE-2020-5418	Sep 03, 2020	Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 allow authenticated users having only the "cloud_controller.read" scope, but no roles in any spaces, to list all droplets in all spaces (whereas they should see none).	Capi Release Cf Deployment
CVE-2020-5420	Sep 03, 2020	Cloud Foundry Routing (Gorouter) versions prior to 0.206.0 allow a malicious developer with "cf push" access to cause denial-of-service to the CF cluster by pushing an app Cloud Foundry Routing (Gorouter) versions prior to 0.206.0 allow a malicious developer with "cf push" access to cause denial-of-service to the CF cluster by pushing an app that returns specially crafted HTTP responses that crash the Gorouters.	Cf Deployment
CVE-2020-5416	Aug 21, 2020	Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in which an unauthenticated malicious attacker can send specially-crafted HTTP requests Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in which an unauthenticated malicious attacker can send specially-crafted HTTP requests that may cause the Gorouters to be dropped from the NGINX backend pool.	Cf Deployment Routing Release
CVE-2020-5417	Aug 21, 2020	Cloud Foundry CAPI (Cloud Controller), versions prior to 1.97.0, when used in a deployment where an app domain is also the system domain (which is true in the default CF Deployment manifest), were vulnerable to developers maliciously or accidentally claiming certain sensitive routes, potentially resulting in the developer's app handling some requests Cloud Foundry CAPI (Cloud Controller), versions prior to 1.97.0, when used in a deployment where an app domain is also the system domain (which is true in the default CF Deployment manifest), were vulnerable to developers maliciously or accidentally claiming certain sensitive routes, potentially resulting in the developer's app handling some requests that were expected to go to certain system components.	Cf Deployment Cloud Controller Capi Release And others...
CVE-2020-15586	Jul 17, 2020	Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.	Cf Deployment Routing Release
CVE-2020-5400	Feb 27, 2020	Cloud Foundry Cloud Controller (CAPI), versions prior to 1.91.0, logs properties of background jobs when they are run Cloud Foundry Cloud Controller (CAPI), versions prior to 1.91.0, logs properties of background jobs when they are run, which may include sensitive information such as credentials if provided to the job. A malicious user with access to those logs may gain unauthorized access to resources protected by such credentials.	Cf Deployment Cloud Controller Capi Release And others...
CVE-2020-5401	Feb 27, 2020	Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoRouter, which Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoRouter, which allows malicious clients to send invalid headers, causing caching layers to reject subsequent legitimate clients trying to access the app.	Routing Release
CVE-2020-5402	Feb 27, 2020	In Cloud Foundry UAA In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function when authenticating with external identity providers.	Cf Deployment User Account Authentication
CVE-2020-5399	Feb 12, 2020	Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components.	Credhub
CVE-2019-11294	Dec 19, 2019	Cloud Foundry Cloud Controller API (CAPI), version 1.88.0 Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows space developers to list all global service brokers, including service broker URLs and GUIDs, which should only be accessible to admins.	Cf Deployment Cloud Controller Capi Release And others...
CVE-2019-11293	Dec 06, 2019	Cloud Foundry UAA Release Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters.	Cf Deployment User Account Authentication
CVE-2019-11290	Nov 26, 2019	Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcatâs access file Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcatâs access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well.	Cf Deployment User Account Authentication
CVE-2019-11289	Nov 19, 2019	Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. A remote unauthenticated malicious user could forge an HTTP route service request using an invalid nonce that will cause the Gorouter to crash.	Cf Deployment Routing Release
CVE-2019-11283	Oct 23, 2019	Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. A remote user with access to the SMB Volume logs can discover the username and password for volumes that have been recently created, allowing the user to take control of the SMB Volume.	Cf Deployment
CVE-2019-11282	Oct 23, 2019	Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA.	Cf Deployment
CVE-2019-11279	Sep 26, 2019	CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.	Uaa Release
CVE-2019-11278	Sep 26, 2019	CF UAA versions prior to 74.1.0, allow external input to be directly queried against CF UAA versions prior to 74.1.0, allow external input to be directly queried against. A remote malicious user with 'client.write' and 'groups.update' can craft a SCIM query, which leaks information that allows an escalation of privileges, ultimately allowing the malicious user to gain control of UAA scopes they should not have.	User Account Authentication
CVE-2019-11277	Sep 23, 2019	Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation, facilitating the malicious space developer to deny service or perform a dictionary attack.	Cf Deployment Nfs Volume Release
CVE-2019-11274	Aug 09, 2019	Cloud Foundry UAA, versions prior to 74.0.0, is vulnerable to an XSS attack Cloud Foundry UAA, versions prior to 74.0.0, is vulnerable to an XSS attack. A remote unauthenticated malicious attacker could craft a URL that contains a SCIM filter that contains malicious JavaScript, which older browsers may execute.	User Account Authentication
CVE-2019-3788	Apr 25, 2019	Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri's subdomain, a remote malicious unauthenticated user can craft a phishing link to get a UAA access code from the victim.	Uaa Release
CVE-2019-3801	Apr 25, 2019	Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.	Cf Deployment Credhub Uaa Release And others...
CVE-2019-3786	Apr 24, 2019	Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. The exploited hooks in this metadata script were only maintained in the cfcr-etcd-release, so clusters deployed with the BBR job for etcd in this release are vulnerable.	Bosh Backup And Restore
CVE-2019-3789	Apr 24, 2019	Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability that can hijack the traffic to route services hosted outside the platform. A user with space developer permissions can create a private domain that shadows the external domain of the route service, and map that route to an app. When the gorouter receives traffic destined for the external route service, this traffic will instead be directed to the internal app using the shadow route.	Routing Release
CVE-2019-3798	Apr 17, 2019	Cloud Foundry Cloud Controller API Release, versions prior to 1.79.0, contains improper authentication when validating user permissions Cloud Foundry Cloud Controller API Release, versions prior to 1.79.0, contains improper authentication when validating user permissions. A remote authenticated malicious user with the ability to create UAA clients and knowledge of the email of a victim in the foundation may escalate their privileges to that of the victim by creating a client with a name equal to the guid of their victim.	Capi Release
CVE-2019-3785	Mar 13, 2019	Cloud Foundry Cloud Controller, versions prior to 1.78.0, contain an endpoint with improper authorization Cloud Foundry Cloud Controller, versions prior to 1.78.0, contain an endpoint with improper authorization. A remote authenticated malicious user with read permissions can request package information and receive a signed bit-service url that grants the user write permissions to the bit-service.	Cloud Controller Capi Release
CVE-2019-3779	Mar 08, 2019	Cloud Foundry Container Runtime Cloud Foundry Container Runtime, versions prior to 0.29.0, deploys Kubernetes clusters utilize the same CA (Certificate Authority) to sign and trust certs for ETCD as used by the Kubernetes API. This could allow a user authenticated with a cluster to request a signed certificate leveraging the Kubernetes CSR capability to obtain a credential that could escalate privilege access to ETCD.	Container Runtime
CVE-2019-3780	Mar 08, 2019	Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes that contains a configuration file with IAAS credentials. A malicious user with access to the k8s nodes can obtain IAAS credentials allowing the user to escalate privileges to gain access to the IAAS account.	Container Runtime
CVE-2019-3775	Mar 07, 2019	Cloud Foundry UAA, versions prior to v70.0, allows a user to update their own email address Cloud Foundry UAA, versions prior to v70.0, allows a user to update their own email address. A remote authenticated user can impersonate a different user by changing their email address to that of a different user.	Uaa Release
CVE-2019-3784	Mar 07, 2019	Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using the default embedded SQLite database, a remote authenticated malicious user can switch sessions to another user with the same session id.	Stratos
CVE-2019-3783	Mar 07, 2019	Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. A malicious user with default session store secret can brute force another user's current Stratos session, and act on behalf of that user.	Stratos
CVE-2019-3781	Mar 07, 2019	Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.	Command Line Interface
CVE-2019-3782	Feb 13, 2019	Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided via environment variables to its persistent config file. A local authenticated malicious user with access to the CredHub CLI config file can use these credentials to retrieve and modify credentials stored in CredHub that are authorized to the targeted user.	Credhub Cli
CVE-2018-15800	Dec 10, 2018	Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.	Bits Service