Critical

EC Private Key Exposure in Cloud Foundry UAA /token_keys Endpoint

IdentifiersCVE-2026-40965CWE-200· Exposure of Sensitive Information…

Cloud Foundry UAA contains a private key exposure vulnerability in which the public /token_keys endpoint, intended to publish public key material for JWT verification, incorrectly exposes private key components when Elliptic Curve (EC) keys are used for JWT token signing. The issue affects Cloud Foundry UAA uaa_release versions v76.12.0 through v78.12.0 inclusive, and CF Deployment versions v30.0.0 through v56.0.0 inclusive. The flaw is specific to deployments configured to sign JWTs with EC keys; RSA key configurations are not affected.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

An unauthenticated attacker able to access the public /token_keys endpoint on an affected deployment can obtain exposed EC private key material. Exposure of the signing private key can enable JWT forgery, impersonation of legitimate identities, bypass of authentication or authorization controls that rely on UAA-issued tokens, and broader compromise of trust in the token validation ecosystem. The provided advisory also indicates potential availability impact, though the primary consequences are severe confidentiality and integrity compromise.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, stop using EC keys for JWT token signing and use RSA key configurations instead, as RSA deployments are not affected. Additionally, restrict access to the /token_keys endpoint where operationally feasible until fixed versions are deployed.

Remediation

Patch, then assume compromise.

Upgrade Cloud Foundry UAA (uaa_release) to v78.13.0 or later. For CF Deployment users, upgrade to v56.1.0 or later, which bundles uaa_release v78.13.0. Affected versions are uaa_release v76.12.0 through v78.12.0 inclusive and CF Deployment v30.0.0 through v56.0.0 inclusive.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

CloudfoundryCf-Deploymentapplication

CloudfoundryUaaapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

cvefeed high severityNews

Jun 1, 2026

CVE-2026-40965 - Cloud Foundry UAA EC Private Key Exposure

A private key exposure vulnerability in Cloud Foundry UAA where EC private keys can be disclosed via the public /token_keys endpoint, affecting deployments that use EC keys for JWT signing.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-40965

NVD

nvd.nist.gov/vuln/detail/CVE-2026-40965

MITRE CWE · CWE-200

Exposure of Sensitive Information to an…

cloudfoundry.org

cloudfoundry.org/blog/cve-2026-40965-uaa-ec-private-key-disclosure