Skip to main content

BBOT CVE-2026-14967

| EUVDEUVD-2026-42296 LOW
Path Traversal (CWE-22)
2026-07-08 BLSOPS
3.1
CVSS 3.1 · Vendor: BLSOPS

Severity by source

Vendor (BLSOPS) PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
3.1 LOW

Network vector because the trigger is a remote repository URL; AC:H because operator must scan an attacker-controlled repo with the specific module active; UI:R for required operator action; I:L because the write is bounded and indirect.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (BLSOPS).

CVSS VectorVendor: BLSOPS

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 16:39 vuln.today

DescriptionCVE.org

BBOT's github_workflows module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve .., so a crafted CODE_REPOSITORY URL could traverse out of the intended folder. The write is bounded to two directory levels above the output location and its target is determined by the operator's configuration, not the attacker.

AnalysisAI

Path traversal in BBOT's github_workflows module allows a crafted CODE_REPOSITORY URL to write a downloaded artifact outside the operator-configured output directory by bypassing a path-containment check that failed to resolve .. sequences. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts crafted GitHub repository with traversal URL
Delivery
Operator runs BBOT github_workflows scan against malicious repo
Exploit
Path-containment check fails to resolve `..` in artifact path
Execution
Artifact written outside configured output directory
Impact
File overwrite within two directory levels of output location

Vulnerability AssessmentAI

Exploitation Exploitation requires that the targeted BBOT installation actively scans a repository URL supplied or influenced by the attacker using the github_workflows module - the operator must initiate this scan (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 base score of 3.1 (Low) is consistent with the actual risk profile when all signals are examined together. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a GitHub repository whose URL is crafted to embed `..` path components in a position that BBOT's github_workflows module incorporates into the artifact write path. When a security operator runs a BBOT scan that includes this repository URL with the github_workflows module active, BBOT downloads a workflow artifact and writes it to a path up to two directory levels above the configured output folder rather than within it. …
Remediation The primary fix is to update BBOT to a version that incorporates commit c1c6ec05ff998e2fba55a14d1026f12563ccd82f, available at https://github.com/blacklanternsecurity/bbot/commit/c1c6ec05ff998e2fba55a14d1026f12563ccd82f; a specific tagged release version is not confirmed in the available data, so operators should verify the installed version includes this commit or install from HEAD after the commit date. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14967 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy