Cloud Foundry UAA EC Private Key Disclosure via /token_keys (CVE-2026-40965)

Vulnerability Overview CVE ID: CVE-2026-40965 Vulnerability Name: UAA EC Private Key Disclosure via token_keys JSON Response Severity: 10.0 / Critical Description: Cloud Foundry UAA versions v76.12.0 through v78.12.0 contain a vulnerability where EC (Elliptic Curve) private keys are accidentally exposed via the public endpoint. This endpoint is intended to provide public key material for JWT token verification, but it erroneously exposes the private key component of the EC key. This vulnerability affects deployments that use EC keys for JWT token signing. The vulnerability does not impact RSA key configurations and only affects deployments using EC keys for JWT signing. Affected Versions Affected Versions: - : All versions from v76.12.0 to v78.12.0 (inclusive) - : All versions from v30.0.0 to v56.0.0 (inclusive) Remediation Mitigation Measures: - Users of affected products are strongly advised to follow the mitigation measures below. - The Cloud Foundry Project recommends upgrading to the following versions: - : Upgrade to uaa_release version v78.13.0 or higher - : Upgrade to cf-deployment version v56.1.0 or higher, including uaa_release v78.13.0 Additional Information Reporter: Reported by the UAA Cloud Foundry team and Arthur Chan from Ada Logics, in collaboration with Claude and Anthropic Research Timeline: - May 13, 2026: Initial vulnerability report released - May 14, 2026: Republished to make it visible Summary This vulnerability involves the accidental exposure of EC private keys in Cloud Foundry UAA, severely impacting deployments that use EC keys for JWT token signing. Users are advised to upgrade to the specified versions as soon as possible to fix this vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

Cloud Foundry UAA EC Private Key Disclosure via /token_keys (CVE-2026-40965)

More from this source