CVE-2026-47833 | setupBpmLogs follows symlink for bpm.log open and chown — co… | CVSS 6.1 MEDIUM

Description

setupBpmLogs follows symlink for bpm.log open and chown — container-to-host privilege escalation via /etc/shadow. A compromised process inside a bpm container can cause root to chown an arbitrary host file to vcap and append bpm JSON log lines to it. The chown alone lets the attacker take ownership of /etc/shadow and read every password hash on the host via the read-only /etc bind mount. This is a container-to-host confidentiality break affecting every bpm-managed job. Affected versions: bpm-release, all versions prior to v1.4.30.

Metadata

CVE ID: CVE-2026-47833
State: PUBLISHED
Assigner: vmware
Reserved: 2026-05-20 10:00 UTC
Published: 2026-06-18 18:30 UTC
Last updated: 2026-06-18 19:08 UTC
Primary CWE: CWE-59
CWE-59: Improper Link Resolution Before File Access ('Link F…
Vendor / Product: Cloud Foundry Foundation / bpm-release
Sources: cve.org · NVD

Severity & Metrics

6.1 MEDIUM CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Cloud Foundry Foundation	bpm-release	—	0 < 1.4.30

Weakness (CWE)

CWE	Source	Description
CWE-59	cna	CWE-59: Improper Link Resolution Before File Access ('Link Following')

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.8	MEDIUM	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
6.1	MEDIUM	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References (1)

https://www.cloudfoundry.org/blog/cve-2026-47833-symlink-vulnerability-in-setupbpmlogs-allows-container-to-host-privilege-escalation-via-etc-shadow/