Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
CVE-2026-40965: Cloud Foundry UAA: Private Keys Exposed in JWT Token Signing
CVE-2026-40965
Summary
Cloud Foundry's UAA server, used for authentication and authorization, is vulnerable to exposing private keys. This affects organizations using Elliptic Curve (EC) keys to sign JSON Web Tokens (JWTs). To fix this issue, update to UAA version v78.13.0 or later, or update your Cloud Foundry deployment to version v56.1.0 or later.
Original title
Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC (Elliptic Curve) private keys are inadvertently exposed t...
Original description
Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC (Elliptic Curve) private keys are inadvertently exposed through the public /token_keys endpoint. This endpoint is designed to provide public key material for JWT token verification but incorrectly exposes private key components for EC keys. The vulnerability affects deployments using EC keys for JWT token signing. The vulnerability does not affect RSA key configurations, only deployments using EC keys for JWT signing.
Affected versions:
- uaa_release: v76.12.0 through v78.12.0 (inclusive); fixed in v78.13.0 or later
- CF Deployment: v30.0.0 through v56.0.0 (inclusive); fixed in v56.1.0 or later (bundles uaa_release v78.13.0)
Affected versions:
- uaa_release: v76.12.0 through v78.12.0 (inclusive); fixed in v78.13.0 or later
- CF Deployment: v30.0.0 through v56.0.0 (inclusive); fixed in v56.1.0 or later (bundles uaa_release v78.13.0)
nvd CVSS3.1
10.0
nvd CVSS4.0
10.0
Vulnerability type
CWE-200
Information Exposure
Published: 1 Jun 2026 · Updated: 1 Jun 2026 · First seen: 1 Jun 2026