Summary
CVE-2026-40965 is a maximum-severity EC private key disclosure vulnerability in Cloud Foundry UAA (User Account and Authentication), affecting uaa_release versions v76.12.0 through v78.12.0 and CF Deployment versions v30.0.0 through v56.0.0. The server’s public, unauthenticated /token_keys endpoint — designed solely to serve public key material for JWT token verification — inadvertently returns Elliptic Curve (EC) private key components in its JSON response when EC keys are configured for JWT signing, enabling any unauthenticated remote attacker to forge arbitrary, cryptographically valid JWT tokens and achieve complete authentication bypass across the entire Cloud Foundry deployment. This vulnerability carries a CVSS 4.0 and CVSS 3.1 base score of 10.0 (Critical) and only affects deployments using EC keys for JWT signing; RSA configurations are not affected.
Technical details
- Root cause: The
/token_keysendpoint fails to strip EC private key components before constructing its JSON response. Private key material that must never leave the server is returned alongside the intended public key material to any caller, with no authentication required (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor). - Trigger conditions: The
/token_keysendpoint is intentionally public by OIDC specification — it is referenced as thejwks_uriin OIDC discovery documents so relying parties can retrieve public keys for JWT verification. No credentials, session tokens, or prior access of any kind are required to trigger the disclosure. - Attack vector: An unauthenticated remote attacker sends a single HTTP GET request to the
/token_keysendpoint on an affected UAA instance and extracts the EC private key directly from the plaintext JSON response body. No specialized tooling or exploit code is required. - Impact: Possession of the EC private signing key enables an attacker to forge cryptographically valid JWT tokens for any identity — including system administrators — accepted by every resource server and microservice trusting the affected UAA instance. This constitutes a complete authentication bypass with full privilege escalation across the entire Cloud Foundry deployment and all dependent services. The CVSS 4.0 vector reflects high confidentiality and integrity impact both on the vulnerable system (VC:H/VI:H) and across all subsequent/downstream systems (SC:H/SI:H).
Affected software
- uaa_release v76.12.0 through v78.12.0 (inclusive) — fixed in v78.13.0 or later
- CF Deployment v30.0.0 through v56.0.0 (inclusive) — fixed in v56.1.0 or later (bundles uaa_release v78.13.0)
- Not affected: Deployments configured to use RSA keys for JWT signing
Severity
CVSS 4.0 Base Score: 10.0 (Critical)
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
CVSS 3.1 Base Score: 10.0 (Critical)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Mitigation and recommended actions
- Immediate — upgrade: Apply the vendor patch by upgrading to uaa_release v78.13.0 or later, or CF Deployment v56.1.0 or later, which bundles the patched uaa_release.
- Assess key configuration: Determine whether your UAA instance is configured to use EC keys for JWT signing. Deployments using RSA keys are not affected.
- Rotate EC signing keys: Any EC signing keys in use on affected versions must be treated as fully compromised and rotated immediately after upgrading. Rotation is required in addition to patching, as any previously exposed key material remains valid until revoked.
- No documented workarounds: The Cloud Foundry security advisory does not provide workarounds short of upgrading. As a temporary defensive measure prior to patching, consider restricting network-level access to UAA endpoints where operationally feasible.
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.