Primary

Context

Cloud Foundry UAA Private Key Exposure Vulnerability via /token_keys Endpoint

Vulnerability

Patched

A vulnerability exists in Cloud Foundry UAA versions 76.12.0 through 78.12.0, where EC (Elliptic Curve) private keys are unintentionally exposed through the public /token_keys endpoint. This endpoint, intended for providing public key material for JWT token verification, incorrectly reveals private key components for EC keys. The issue affects deployments using EC keys for JWT token signing, while RSA key configurations remain unaffected.

Impact

Exploitation of this vulnerability leads to unauthorized exposure of EC private keys, which could compromise the security of JWT token signing in affected deployments.

Remediation

Users are advised to upgrade to UAA versions 78.13.0 or later. For Cloud Foundry deployments, upgrade to version 56.1.0 or later, which includes UAA version 78.13.0.

Added: Jun 1, 2026, 10:18 PM

Updated: Jun 1, 2026, 10:18 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

7.6

remediation

7.7

relevance

9.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

7.6

remediation

7.7

relevance

9.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Cloud Foundry UAA Private Key Exposure Vulnerability via /token_keys Endpoint

Vulnerability

Impact

Remediation

Affected Products

Cloud Foundry UAA

Cloud Foundry CF Deployment

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating