CVE-2026-40965

Name: CVE-2026-40965
Creator: NVD / NIST
Published: 2026-06-01T22:16:25.6+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 10/10EPSS 0.35%

Last modified Jun 17, 2026

This CVE is reserved or awaiting analysis. Details will appear once published by NVD.

Description

Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC (Elliptic Curve) private keys are inadvertently exposed through the public /token_keys endpoint. This endpoint is designed to provide public key material for JWT token verification but incorrectly exposes private key components for EC keys. The vulnerability affects deployments using EC keys for JWT token signing. The vulnerability does not affect RSA key configurations, only deployments using EC keys for JWT signing. Affected versions: - uaa_release: v76.12.0 through v78.12.0 (inclusive); fixed in v78.13.0 or later - CF Deployment: v30.0.0 through v56.0.0 (inclusive); fixed in v56.1.0 or later (bundles uaa_release v78.13.0)

Metrics

CVSS 3.1

10/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

CVSS 4.0

10/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.35%

26.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-200

References

https://www.cloudfoundry.org/blog/cve-2026-40965-uaa-ec-private-key-disclosure/

Timeline

Published: Jun 1, 2026
Last Modified: Jun 17, 2026
Status: Awaiting Analysis

Are you affected by CVE-2026-40965?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST