Critical Cloud Foundry Key Disclosure Bug Exposes JWT Signing Keys

Severe Leak Impacts User Account and Authentication Subsystem

Open-source platform-as-a-service environments face an immediate architectural risk. Specifically, a critical Cloud Foundry key disclosure flaw has been uncovered within the platform’s core identity management system. This vulnerability tracks globally as CVE-2026-40965 and carries the maximum possible CVSS severity score of 10.0. The defect permits external actors to harvest highly confidential cryptographic secrets without requiring any authentication. Consequently, enterprise deployment administrators must apply vendor security patches immediately to prevent full token forgery attacks.

Accidentally Exposing Elliptic Curve Private Keys

To begin with, the underlying software bug resides within the User Account and Authentication (UAA) component. The application incorrectly handles specific key retrieval inquiries. According to the official advisory, “The server contains a vulnerability where EC (Elliptic Curve) private keys are inadvertently exposed through the public/token_keys endpoint.”

Furthermore, this open API path exists primarily to share public data material for routine JSON Web Token (JWT) verification. However, due to the parsing error, the system discloses sensitive Elliptic Curve private keys instead. Therefore, an unauthenticated remote adversary can intercept these components to forge valid authentication tokens. Interestingly, the vulnerability does not impact standard RSA key layouts.

Mandatory Patches Released for Affected Releases

Ultimately, neutralizing this dangerous Cloud Foundry key disclosure vector requires a swift upgrade of active production fleets. The vulnerability targets all UAA release variants stretching from build v76.12.0 through v78.12.0.

To restore structural database security, the development group recommends transitioning to version v78.13.0 or later. Additionally, administrators deploying via the global configuration templates should migrate their infrastructure to version v56.1.0 or greater right away. Finally, updating these components guarantees that token-signing mechanisms remain completely secure against unauthorized cryptographic leakage.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.