CVE-2026-14967
Received Received - Intake

Path Traversal in BBOT GitHub Workflows Module

Vulnerability report for CVE-2026-14967, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: Black Lantern Security

Description

BBOT's `github_workflows` module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve `..`, so a crafted `CODE_REPOSITORY` URL could traverse out of the intended folder. The write is bounded to two directory levels above the output location and its target is determined by the operator's configuration, not the attacker.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
blacklanternsecurity bbot *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows writing downloaded artifacts outside the configured output directory due to improper path containment checks. However, the write is limited to two directory levels above the output location and is determined by the operator's configuration, not directly by an attacker.

There is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The vulnerability exists in BBOT's github_workflows module where it could be tricked into writing a downloaded artifact outside its intended output directory. This happens because the module's path-containment check did not properly resolve the '..' path traversal sequences, allowing a crafted CODE_REPOSITORY URL to escape the designated folder.

However, the write is limited to two directory levels above the output location and the exact target location depends on the operator's configuration, not directly controlled by an attacker.

Impact Analysis

This vulnerability could allow an attacker to cause the BBOT tool to write files outside of its intended directory, potentially overwriting or placing files in unexpected locations on the system.

Since the write location is limited to two directory levels above the output directory and depends on the operator's configuration, the impact is somewhat constrained but could still lead to unintended file modifications or data placement.

The CVSS score of 3.1 indicates a low severity impact, with no confidentiality or availability impact, but a low integrity impact.

Detection Guidance

Detection of this vulnerability involves checking if the BBOT tool's github_workflows module improperly writes artifacts outside its configured output directory due to path traversal.

You can inspect the output directories for unexpected files or directories created two levels above the intended output location.

Additionally, reviewing logs or monitoring file system changes related to BBOT's artifact downloads may help identify suspicious activity.

Since the vulnerability involves crafted CODE_REPOSITORY URLs, you can search for usage of URLs containing path traversal sequences like ".." in BBOT configuration or workflow files.

Suggested commands include:

  • Use 'find' to locate files outside the expected output directory, for example: find /path/to/output/../../ -type f -mtime -7
  • Use 'grep' to search for suspicious URLs in configuration or workflow files: grep -r ".." /path/to/bbot/configs
  • Monitor file system changes with tools like 'inotifywait' or auditd to detect unexpected writes outside the output directory.
Mitigation Strategies

Immediate mitigation steps include updating BBOT to the fixed version that resolves the path traversal vulnerability.

The fix involves:

  • Ensuring the path-containment check resolves paths before validation to prevent traversal attempts.
  • Strictly validating that the hostname in URLs is exactly "github.com" to block malicious URLs.
  • Sanitizing artifact filenames to safe basenames to prevent dangerous names like "..".

Until the update is applied, avoid using untrusted CODE_REPOSITORY URLs and restrict BBOT's write permissions to limit potential damage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14967. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart