ZeroPath at Black Hat USA 2026

VMware Cloud Foundation Operations CVE-2026-41724: Overview of Stored XSS Leading to Admin Privilege Escalation

A brief summary of CVE-2026-41724, a high severity stored cross-site scripting vulnerability in VMware Cloud Foundation Operations that allows low privileged users to inject persistent scripts and perform administrative actions. Includes patch details and affected version matrix.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-08

VMware Cloud Foundation Operations CVE-2026-41724: Overview of Stored XSS Leading to Admin Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A trio of stored cross-site scripting vulnerabilities in VMware Cloud Foundation Operations allows any authenticated user with the ability to create policies, views, or text widgets to inject persistent scripts that execute with full administrative privileges when an admin views the compromised content. For organizations running VMware's operations management stack, which spans five distinct product lines and underpins the monitoring and management of their entire virtualized infrastructure, this represents a practical privilege escalation path from a low privileged account to complete administrative control.

CVE-2026-41724 is the third of three related flaws disclosed in Broadcom's VMSA-2026-0004 advisory on June 8, 2026, and it specifically targets the text widget creation flow. All three CVEs carry a CVSS 3.1 base score of 8.0 (High), and notably, no workarounds are available for any of them.

Technical Information

Root Cause: Missing Input Sanitization Across Content Creation Interfaces

CVE-2026-41724 is classified as a stored cross-site scripting vulnerability, mapping to CWE-79 (Improper Neutralization of Input During Web Page Generation). The root cause is a failure to properly sanitize and encode user supplied input in the text widget creation flow of VMware Cloud Foundation Operations. When a user creates a text widget, the application stores the content as provided without neutralizing embedded script payloads. When that content is later rendered in another user's browser, typically an administrator reviewing dashboards or operational views, the injected script executes in the context of their authenticated session.

The CVSS v3.1 vector string is AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, which breaks down as follows:

CVSS ComponentValueMeaning
Attack Vector (AV)NetworkExploitable remotely over the network
Attack Complexity (AC)LowNo specialized conditions required
Privileges Required (PR)LowAttacker needs only low level authenticated access
User Interaction (UI)RequiredAn admin must view the compromised content
Scope (S)UnchangedImpact confined to the vulnerable component
Confidentiality (C)HighComplete information disclosure possible
Integrity (I)HighComplete system integrity compromise possible
Availability (A)HighComplete system availability disruption possible

Three Injection Surfaces, One Systemic Weakness

VMSA-2026-0004 bundles three distinct CVEs, each targeting a different content creation interface within the same product:

CVE IDCVSSInjection Point
CVE-2026-417228.0Stored XSS via policy creation
CVE-2026-417238.0Stored XSS via view creation
CVE-2026-417248.0Stored XSS via text widget creation

The fact that three separate injection surfaces share the same class of vulnerability indicates that VMware Cloud Foundation Operations lacked consistent input sanitization across its content creation features. This is not a single isolated coding error but rather a systemic gap in how user supplied content is handled before storage and rendering.

Attack Flow

The exploitation chain for CVE-2026-41724 proceeds as follows:

  1. Initial Access: The attacker authenticates to VMware Cloud Foundation Operations with a low privileged account that has permissions to create text widgets. This is a common permission granted to operations team members who build and customize dashboards.

  2. Payload Injection: The attacker creates or modifies a text widget, embedding malicious JavaScript in the widget content. Because the application does not sanitize or encode the input, the script is stored verbatim in the backend.

  3. Persistence: The malicious script is now persistently stored on the server. Unlike reflected XSS, which requires the victim to click a crafted link, stored XSS payloads survive indefinitely and execute every time the compromised content is rendered.

  4. Trigger: A legitimate administrator navigates to a dashboard or view that includes the compromised text widget. The application renders the widget content, including the injected script, in the administrator's browser.

  5. Execution with Elevated Privileges: The injected JavaScript executes within the administrator's authenticated browser session. Because the administrator holds full administrative privileges in VCF Operations, the script can perform arbitrary administrative actions: creating new admin accounts, modifying monitoring policies, exfiltrating configuration data, or disabling security controls.

The critical aspect of this attack is the privilege differential. The attacker only needs low level access to inject the payload, but the impact is realized at the privilege level of whoever views the content. In an operations management tool, that viewer is almost always an administrator.

Credit

Broadcom credited Alexis Bernazzani of Visa Inc. for reporting these vulnerabilities, indicating responsible disclosure from a major financial institution's security team.

Patch Information

Broadcom published security advisory VMSA-2026-0004 on June 8, 2026, delivering patches for CVE-2026-41724 alongside its sibling stored XSS flaws CVE-2026-41722 and CVE-2026-41723. Because these are stored XSS vulnerabilities, the patch addresses the underlying failure to properly sanitize and encode user supplied input in the policy, view, and text widget creation flows. By correcting input validation and output encoding at these injection points, the update ensures that injected script payloads are rendered as inert text rather than executable code within an administrator's browser session.

No workarounds exist. Applying the vendor supplied fixed versions is the only remediation path.

The Response Matrix in the advisory deserves careful attention because the fixed version differs depending on which product line you are running, and not every fixed version covers CVE-2026-41724 specifically:

Product / ComponentAffected VersionFixed VersionCVEs Covered
VMware Cloud Foundation / vSphere Foundation (VCF Operations)9.1.x.x9.1.0.0CVE-2026-41722, CVE-2026-41723
VMware Cloud Foundation / vSphere Foundation (VCF Operations)9.0.x.x9.0.2.0 EP2CVE-2026-41722, CVE-2026-41723
VMware Aria Operations (standalone)8.x8.18.6CVE-2026-41722, CVE-2026-41723
VMware Aria Operations (standalone)8.x8.18.7CVE-2026-41722, CVE-2026-41723, CVE-2026-41724
VMware Cloud Foundation 5.x (Aria Operations component)5.x8.18.7CVE-2026-41722, CVE-2026-41723, CVE-2026-41724
VMware Telco Cloud Platform 5.x (Aria Operations component)5.xKB443138CVE-2026-41722, CVE-2026-41723, CVE-2026-41724

There is a critical nuance here that administrators should not overlook: if you are running VMware Aria Operations 8.x (standalone or bundled with VCF 5.x or Telco Cloud Platform 5.x), you must upgrade to version 8.18.7 to fully remediate CVE-2026-41724. Version 8.18.6 only covers CVE-2026-41722 and CVE-2026-41723. Upgrading to 8.18.6 alone leaves CVE-2026-41724 unpatched. For VCF Operations 9.x environments, CVE-2026-41724 coverage is handled in the 9.1.0.0 and 9.0.2.0 EP2 builds alongside the other two CVEs.

Defense in Depth Measures

While patching is the definitive fix, the following measures can reduce the likelihood of exploitation during the patching window:

  • Restrict text widget, policy, and view creation privileges to only essential personnel. Since the attack requires these specific permissions, limiting the pool of users who hold them directly reduces the attack surface.
  • Enable Content Security Policy (CSP) in VMware Aria Operations. Broadcom documents CSP support in the product specifically to mitigate this class of vulnerability. Properly configured CSP can restrict script execution contexts and limit the impact of injected payloads.
  • Monitor administrative action logs for anomalous text widget, policy, or view modifications from low privileged accounts, which could indicate exploitation attempts.

Affected Systems and Versions

The vulnerability impacts the following products and version ranges:

  • VMware Cloud Foundation Operations versions 9.1.x.x (prior to 9.1.0.0)
  • VMware Cloud Foundation Operations versions 9.0.x.x (prior to 9.0.2.0 EP2)
  • VMware Aria Operations (standalone) version 8.x (prior to 8.18.7)
  • VMware Cloud Foundation 5.x with embedded Aria Operations component (prior to Aria Operations 8.18.7)
  • VMware vSphere Foundation with VCF Operations component (versions 9.0.x.x and 9.1.x.x, prior to the fixed builds listed above)
  • VMware Telco Cloud Platform 5.x with embedded Aria Operations component (prior to the fix documented in KB443138)

This is a broad product surface area. VMware Cloud Foundation is deployed by a significant portion of VMware's approximately 500,000 enterprise customers worldwide, and VCF Operations / Aria Operations serves as the centralized monitoring and management plane for these environments.

Vendor Security History

The VMware Aria Operations and VCF Operations product family has a documented pattern of recurring stored XSS vulnerabilities:

Advisory / DateCVEsCVSSVulnerability Type
VMSA-2024-0025 (November 2024)CVE-2024-388327.1Stored XSS via "views" editing in Aria Operations
VMSA-2025-0003 (January 2025)CVE-2025-22220Not specifiedStored XSS in Aria Operations for Logs
VMSA-2026-0001 (Early 2026)CVE-2026-22719, 22720, 22721Not specifiedMultiple vulnerabilities in Aria Operations
VMSA-2026-0004 (June 2026)CVE-2026-41722, 41723, 417248.0 eachStored XSS via policies, views, text widgets

This is the third stored XSS advisory affecting the same product family in under two years. Each advisory has addressed the specific injection points reported, but new injection surfaces have continued to emerge. The pattern suggests that Broadcom has been addressing XSS reactively, fixing each reported injection point individually rather than implementing a product wide input sanitization framework.

A separate but relevant concern: in October 2025, SecurityWeek reported that Broadcom failed to disclose that a previously patched VMware vulnerability had been exploited as a zero day by Chinese state linked actors since mid October 2024. The flaw was exploited in the wild for approximately a year before it was patched, and Broadcom did not inform customers about the active exploitation at the time of patch release. This incident raises questions about the completeness of Broadcom's vulnerability communications and whether the absence of reported exploitation for CVE-2026-41724 can be taken at face value.

As of the June 8, 2026 disclosure date, no active exploitation of CVE-2026-41724 has been reported in public sources. The NVD record remains in "Received" status with no independent CVSS assessment yet provided, meaning the CVSS 8.0 score is vendor assigned and may be revised.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization