EUVD-2026-37818
GHSA-m54h-vhf9-3w3m
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attacker controls only a network-hosted Postman workspace name requiring no victim-system privileges; victim must actively run the module (UI:R); impact is filesystem write-only with no confidentiality or availability effect.
Primary rating from Vendor (BLSOPS).
CVSS VectorVendor: BLSOPS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker to write arbitrary files to the user's system.
AnalysisAI
Arbitrary file write in BBOT's postman_download module enables a remote attacker to write files outside the intended output directory on a victim's system by controlling a Postman workspace name containing path traversal sequences. When a user runs the postman_download module, BBOT fetches workspace names from the Postman API and constructs local filesystem paths without sanitization, allowing pathlib to resolve paths into arbitrary locations on the victim's host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim actively runs BBOT's postman_download module (UI:R) against a Postman scope that includes an attacker-controlled workspace with a path traversal sequence in its name - for example, a publicly visible workspace named '../../target'. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) correctly reflects that the attacker requires no privileges on the victim's system and faces no complex preconditions beyond victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a public Postman workspace and sets its display name to a path traversal string such as '../../.ssh/authorized_keys'. When a BBOT user or automated pipeline runs the postman_download module against a scope that resolves to include this workspace, BBOT queries the Postman API, retrieves the crafted name, and constructs a filesystem path by appending it to the configured output directory without sanitization. … |
| Remediation | Users should update BBOT to a version incorporating upstream commit 36bc20818 (https://github.com/blacklanternsecurity/bbot/commit/36bc20818) as soon as a tagged release is available, or pin to the patched commit directly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Path traversal in BBOT's unarchive internal module enables a malicious archive hosted by attacker-controlled infrastruct
Authentication token leakage in Black Lantern Security's bbot docker_pull module exposes Docker credentials to MITM atta
Symlink-following path traversal in BBOT's github_workflows module (all versions prior to commit 16d9c42b6) allows a loc
Share
External POC / Exploit Code
Leaving vuln.today