Argument Injection in bosh-cli allows a compromised BOSH Director to inject arbitrary OpenSSH options into the locally-spawned ssh process when an operator runs bosh ssh -c, bosh logs -f, or other non-interactive SSH paths, leading to local command execution on the operator's workstation. Affected versions: bosh-cli versions prior to v7.10.4.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-47829 is an argument injection vulnerability in bosh-cli that allows a compromised BOSH Director to inject malicious OpenSSH options into SSH processes spawned during operator commands like `bosh ssh -c` and `bosh logs -f`. This vulnerability is particularly dangerous because it bridges the gap between infrastructure compromise and direct workstation compromise—an attacker who controls the BOSH Director can execute arbitrary commands on an operator's local machine simply by crafting malicious arguments that get passed to the underlying SSH process. Organizations using BOSH for cloud infrastructure automation are affected if they run bosh-cli versions prior to v7.10.4, making this a critical supply chain risk for DevOps and platform engineering teams.
Casky.ai's Claude-powered analysis engine would detect the attack patterns underlying this vulnerability by mapping argument injection attempts to MITRE ATT&CK techniques including T1059 (Command and Scripting Interpreter), T1021.004 (Remote Services: SSH/Secure Shell), and T1195.003 (Supply Chain Compromise). When analyzing bosh-cli activity, practitioners using Casky's 754 mapped security skills would see findings flagging suspicious SSH option chains, unexpected argument structures in process execution logs, and unauthorized command patterns originating from BOSH Director interactions. The platform's extended reasoning capabilities would correlate benign-looking SSH parameter injection with downstream local command execution, helping security teams identify compromise attempts that might otherwise appear as legitimate administrative activity in logs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-47829. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation