VMware VMSA-2026-0004: Patch Cloud Foundation Operations XSS Flaws

Broadcom published VMSA-2026-0004 on June 8, 2026 for VMware Cloud Foundation Operations and related products. The advisory covers CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, all rated Important with a maximum CVSSv3 score of 8.0. Broadcom lists no workaround, so affected environments need the fixed versions from the advisory.

This matters for hosting providers, private-cloud admins, homelab operators, and enterprise teams because VMware Cloud Foundation Operations and Aria Operations sit close to the management plane. A low-privilege user with rights to create certain content in the platform may be able to influence administrative actions when an administrator interacts with that content.

This is a protect-only guide. It summarizes the safe update, role review, maintenance, and verification path without publishing abuse steps or unsafe test details.

What Broadcom fixed

Broadcom describes the issues as multiple stored cross-site scripting vulnerabilities in VMware Cloud Foundation Operations. The affected product list includes VMware Aria Operations, VMware Cloud Foundation Operations, VMware Cloud Foundation, VMware vSphere Foundation, and VMware Telco Cloud Platform.

• VMware Cloud Foundation Operations 9.1.x.x: Broadcom lists fixed version 9.1.0.0 for CVE-2026-41722 and CVE-2026-41723.
• VMware Cloud Foundation Operations 9.0.x.x: Broadcom lists fixed version 9.0.2.0 EP2 for CVE-2026-41722 and CVE-2026-41723.
• VMware Aria Operations 8.x: Broadcom lists fixed versions 8.18.6 for two issues and 8.18.7 where all three CVEs apply.
• VMware Cloud Foundation 5.x with Aria Operations: Broadcom lists 8.18.7 in the response matrix.
• VMware Telco Cloud Platform 5.x with Aria Operations: Broadcom points admins to KB443138 for the fixed path.

Use the Broadcom advisory row that matches your bundle, release train, and entitlement. If your deployment falls between rows or includes older Aria Operations components, treat the Broadcom advisory and current release notes as the source of truth before scheduling production work.

Patch planning checklist

1. Inventory the management stack. Include VMware Cloud Foundation Operations, Aria Operations, VCF, vSphere Foundation, Telco Cloud Platform, cloud proxies, adapters, integrations, and any customer-facing dashboards.
2. Confirm versions and fixed paths. Map each appliance or component to the matching Broadcom response-matrix row before downloading updates.
3. Back up before patching. Follow VMware/Broadcom guidance for appliance snapshots, database protection, content packs, dashboards, alerts, integrations, and collector or cloud-proxy state.
4. Reduce unnecessary access. Review who can create policies, views, dashboards, widgets, and management content. Remove stale admin or delegated roles before and after the update.
5. Plan a maintenance window. Notify admins and customers who rely on dashboards, capacity reports, alerts, API integrations, or monitoring feeds.
6. Patch in a controlled order. Update nodes, collectors, proxies, and integrations according to Broadcom documentation. Keep a rollback handle until core dashboards and alerts are proven clean.
7. Review admin activity. Look for unusual content changes, unexpected dashboards or views, new delegated roles, abnormal administrator sessions, and odd automation behavior around the management plane.
8. Verify after patching. Confirm version levels, cluster health, adapter collection, alert delivery, dashboards, reports, access roles, SSO, backups, and customer-visible views.

Hosting and service-provider notes

For providers, the most important question is not only whether the appliance is patched. It is also who can create or modify content that administrators later trust. Review delegated roles, tenant-facing dashboards, shared views, customer reporting workflows, and any integration account that can write into Operations.

Because Broadcom lists no workaround, edge rules and login restrictions should be treated as temporary exposure reduction only. The durable fix is the vendor update, followed by a review of management-plane roles and activity.

Post-update verification checklist

• Every affected VCF Operations or Aria Operations component shows the intended fixed version.
• Cluster status, node health, collector health, and cloud-proxy health are normal.
• Adapters still collect from vCenter, NSX, storage, backup, and customer monitoring sources.
• Dashboards, views, policies, alerts, reports, and capacity planning still work for known-good users.
• Role assignments and delegated permissions match the current support model.
• Recent content changes and admin sessions have been reviewed for anything unexpected.
• Backups, monitoring, and maintenance notes are updated with the fixed version and verification time.

Related Fix I.T. Phill reading

• VMware/Broadcom May 2026: VCF 9.1, vCenter, and VM Hosting Checks
• VMware Fusion CVE-2026-41702: Mac Hypervisor Patch Guide
• Proxmox VE 9.2: Upgrade and Hosting Cluster Checklist
• Check Point CVE-2026-50751 VPN patch guide

Sources

• Broadcom VMSA-2026-0004 advisory
• VMware Aria Operations 8.18.7 release notes
• VMware Cloud Foundation 9.0 patch release notes
• Official CVE API record for CVE-2026-41722
• Official CVE API record for CVE-2026-41723
• Official CVE API record for CVE-2026-41724
• NVD entry for CVE-2026-41722
• NVD entry for CVE-2026-41723
• NVD entry for CVE-2026-41724

Need help planning a VMware management-plane patch window? Fix I.T. Phill can help inventory the affected components, stage the maintenance window, review delegated roles, and verify dashboards and alerts after the update.